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INTRODUCTION 
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Pat len-Johnson  Associates,  Inc.  has  performed  a  detailed  reliability  analysis 
of  the  Type  AN/GRN-27(V)  Instrument  Landing  System  (ILS)  or  Type  II  I LS  manu¬ 
factured  by  Texas  Instruments,  Inc.  This  system  Is  commonly  designated  the 
GRN-27,  which  will  also  be  used  in  this  report.  The  system  transmits  signals 
which  provide  landing  guidance  for  approaching  aircraft.  The  reliability 
analysis  was  performed  to  determine  the  probability  of  radiation  of  a  hazard¬ 
ous  signal  and  the  probability  of  a  system  shutdown  durtng  the  critical  final 
stages  of  a  landing.  Also,  a  number  of  system  modifications  which  could  be 
implemented  to  improve  reliability  were  evaluated. 

The  objective  of  the  study  was  to  establish  whether  the  GRN-27  ILS  could  satis¬ 
fy  the  reliability  guidelines  expected  to  be  established  by  the  International 
Civil  Aviation  Organization  (ICAO)  for  an  ILS  which  is  to  be  used  during  limited 
visibility  conditions  (Category  III).  Those  guidelines  specify  that  the  prob¬ 
ability  of  hazardous  radiation  due  to  equipment  failure  should  be  less  than 
-9 

0.5  X  10  for  the  localizer  or  the  glides  lope  during  any  landing  sequence  and 
the  probability  of  localizer  or  glides  lope  shutdown  should  be  less  than 
2.0  X  10  ^  during  the  critical  final  stages  of  a  landing  sequence.  Although 
these  guidelines  are  not  strict  requirements,  it  is  likely  that  the  United 
States  and  most  other  ICAO  member  nations  wil I  attempt  to  meet  them. 

The  reliability  analysis  was  based  upon  a  study  of  another  system,  designated 
th**  Mark  III  ILS,  which  was  built  using  many  of  the  same  sub-assemblies  con¬ 
tained  in  the  GRN-27  but  also  incorporates  more  extensive  monitoring  and 
higher  levels  of  redundancy.  Texas  Instruments  manufactured  the  Mark  III  Sys¬ 
tem  and  performed  the  reliability  study  of  the  system.  The  analysis  consisted 
of  identifying  all  the  failure  modes  of  each  subassembly  in  the  ILS  and  com¬ 
puting  the  rate  of  failure  for  each  mode.  The  subassembly  failure  modes  were 
then  considered  alone  and  in  combination  to  determine  how  the  system  as  a 
whole  could  fail.  For  each  such  system  failure  mode,  the  probability  of  fail¬ 
ure  was  computed.  Finally,  the  probability  of  hazardous  radiation  and  of  a 
system  shutdown  were  computed.  As  currently  operated,  the  computed  probability 
of  an  undetected  hazardous  radiation  occuring  between  system  checks  is 
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8.75  X  10"  for  the  localizer  and  approximately  8.7  X  10  for  all  versions  of 

the  glides  lope.  The  probability  of  a  system  shutdown  is  1.81  X  10*^  for  the 
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localizer  (during  a  30  second  critical  period),  and  approximately  6.25  X  10 
for  all  versions  of  the  glides  lope  (for  a  15  second  period). 

Since  the  GRN-27  I LS  as  currently  operated  does  not  meet  the  hazardous  radiation 
guidelines  specified  above,  various  changes  in  the  system  and/or  operating 
system  have  been  considered  to  improve  its  reliability.  A  previous  effort  by 
Texas  Instruments  to  produce  an  I LS  suitable  for  all  weather  landings  resulted 
in  the  Mark  III  ILS.  Only  a  few  of  the  Mark  III  systems  were  produced.  Al¬ 
though  they  satisfy  the  ICAO  reliability  guidelines,  it  would  be  prohibitively 
expensive  to  modify  the  GRN-27  units  to  be  the  same  as  the  Mark  III  systems. 

Of  all  the  alternatives  considered  to  improve  the  reliability  of  the  GRN-27, 
one  appears  to  be  the  most  cost-effective.  That  alternative  consists  of  more 
frequent  tests  for  hidden  fai lures.  The  tests  can  be  performed  by  introducing 
a  simulated  fault  into  the  monitoring  system  and  determining  whether  the  system 
transfers  to  the  standby  transmitter.  Such  a  fault  could  be  introduced  using 
relays  which  have  been  built  into  the  monitor  channels  for  that  purpose.  How¬ 
ever,  if  it  would  be  desirable  to  activate  these  relays  from  the  control  tower, 
conductors  would  have  to  be  laid  from  the  ILS  equipment  shelter  to  the  tower 
if  none  are  available.  The  check  would  have  to  be  performed  approximately  once 
a  day  to  achieve  the  level  of  reliability  specified  by  the  ICAO  guidelines. 

An  effort  was  made  to  correlate  actual  field  experience  with  the  theoretical 
failure  calculations.  To  this  end  the  facility  maintenance  logs  from  sixty- 
nine  GRN-27  facilities  for  the  calendar  year  1981  were  analyzed  and  the  un¬ 
scheduled  outages  recorded  were  compared  with  the  theoretical  calculations. 

The  field  experience  was  consistent  with  the  theoretical  results.  Also,  the 
recorded  outages  revealed  problem  areas  in  the  ILS  equipment.  Peak  detector 
failures,  in  particular,  accounted  for  a  relatively  large  number  of  outages. 
Improvements  in  the  transmitter  and  removal  of  the  localizer  misalignment 
detectors  could  also  eliminate  some  outages. 
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ILS  RELIABILITY  REQUIREMENTS 
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Standards  and  Recommended  Practices  (SARP’s),  and  guidance  material  have  been 
developed  by  the  ICAO  for  navigation  aids,  including  ILS.  For  the  purpose  of 
describing  reliability  criteria  and  relating  them  to  different  levels  of  per¬ 
formance,  the  following  ILS  facility  performance  categories  are  defined 


(Reference  1): 

Category  1 

Provides  guidance  information  from  the  coverage  limit  i 

of  the  ILS  to  the  point  at  which  the  localizer  course 

line  Intersects  the  glide  path  at  a  height  of  200  feet 
or  less  above  the  horizontal  plane  containing  the 

threshold. 

Category  1 1 

Provides  guidance  information  from  the  coverage  limit 

of  the  ILS  to  the  point  at  which  the  local Izer  course 

line  intersects  the  glide  path  at  a  height  of  50  feet 

or  less  above  the  horizontal  plane  containing  the 

threshold. 

Category  1  1  1 

-  With  the  aid  of  ancillary  equipment  where  necessary, 

provides  guidance  Information  from  the  coverage  limit 

of  the  facility  to,  and  along,  the  surface  of  the  runway. 

Each  ILS  Facility  Performance  Category  has  operational  objectives  as  follows 
(Reference  1,  Attachment  C): 
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Category  I  -  Operation  down  to  200  feer  decision  height  with  a  runway 
visual  range  of  not  less  than  a  value  of  the  order  of 
2600  feet  with  a  high  probability  of  approach  success. 

Category  II  -  Operation  down  to  100  feet  decision  height  and  with  a 

runway  visual  range  of  not  less  than  a  value  of  the  order 
of  1200  feet  with  a  high  probability  of  approach  success. 


2-1 


Category  IMA  -  Operation  with  no  decision  height  limitation  to  and  along 
the  surface  of  the  runway  with  external  visual  reference 
during  the  final  phase  of  landing  and  with  a  runway  visual 
range  of  not  less  than  a  value  of  the  order  of  700  feet. 


Category  NIB  -  Operation  with  no  decision  height  limitation  to  and  along 
the  surface  of  the  runway  without  reliance  on  external 
visual  reference;  and,  subsequently,  taxiing  with  external 
visual  reference  in  a  visibility  corresponding  to  a  run¬ 
way  visual  range  of  not  less  than  a  value  of  the  order  of 
150  feet. 

Category  I  I  1C  -  Operation  with  no  decision  height  limitation  to  and  along 
the  surface  of  the  runway  and  taxiways  without  reliance  on 
external  visual  reference. 

These  operational  objectives  are  intended  for  "guidance  and  clarification"  only 
and  are  not  part  of  the  ICAO  SAPP's.  However,  these  objectives  are  widely 
accepted  as  standards  for  IIS  operation. 

Reliability  objectives  are  also  specified  in  Reference  1,  Attachment  C.  The 
objectives  consist,  in  part,  of  the  following: 

Category  I  I  and  I  I  I 

•  "...it  is  of  upmost  importance  that  the  integrity  and  continuity 
of  services  of  the  ground  equipment  is  very  high." 

•  The  monitors  should  be  designed  to  ensure  fail  safe  operation. 
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•  "Reliability  of  ground  equipment  must  be  very  high,  so  as  to 
ensure  that  safety  during  the  critical  phase  of  approach  and 
landing  is  not  impaired  by  a  ground  equipment  failure  when  the 
aircraft  is  at  such  a  height  or  attitude  that  it  is  unable  to 
take  corrective  action". 

•  "One  analysis  has  shown  that  the  continuity  of  service  of  an  I LS 
installation  used  for  Category  I  I  I A  operation  should  be  such 
that  the  localizer  facility  and  the  glide  path  facility  each 
have  a  MTBF  of  4000  hours  or  more." 

Additional  reliability  objectives  specified  in  reference  are  also  expressed 
in  general  terms. 

In  an  effort  to  establish  more  specific  reliability  objectives  for  I LS  equip¬ 
ment,  the  AM  Weather  Operations  Panel  (AW0D)  of  the  ICAO  proposed  a  set  of 
reliability  levels  in  December  of  1982.  The  levels  are  specified,  in  part,  in 
terms  of  the  probability  of  hazardous  radiation  during  any  one  landing  (signal 
integrity),  the  probability  of  a  system  shutdown  during  the  critical  landing 
time  interval  (signal  continuity),  and  mean  time  between  operational  outages 
(MTBO).  Table  2-1  shows  the  proposed  requirements  for  each  reliability  level 
of  the  localizer  or  glide  path. 


Table  2-1 

PROPOS ED  RELIABILITY  LEVELS 


Proposed 

Level 

Desiq nation 

Probabi 1 ity  of 
Hazardous  Radiation 
in  any  One  Land i no 

Probab i 1 i ty  of  a 
Shutdown  During 
Indicated  Interval 

MTBO  (hours) 

Leve  1  1 

Not  Def i ned 

Not  Def i ned 

Not  Def i ned 

Level  2 

1.0  X  10-6 

4.0  X  !0“6  (15  sec) 

1000 

Leve  1  3 

0.5  X  10‘9 

2.0  X  10-6  (15  sec) 

2000 

Leve  1  4 

0.5  X  10'9 

2.0  X  10-6  ( loc-30 

sec) 

4000  (loc) 

(gp  -15 

sec) 

2000  (gp) 

These  reliability  levels  are  likely  to  be  accepted  as  general  guidelines  for 
Operational  Performance  Usage  with  Level  1  applying  to  Category  I,  Level  2  to 
Category  II,  Level  3  to  Category  MIA,  Level  4  to  Category  I  I  IB  and  MIC.  The 
proposed  set  of  levels  has  not  yet  been  accepted  by  ICAO.  However,  acceptance 
is  expected  with  few,  if  any  changes. 

The  following  new  tentative  guidance  material,  essentially  as  proposed  by  AWOP 
partially  describes  the  conditions  as  understood  to  be  applicable  to  the  numbers 
proposed  in  Table  2-1. 

•  An  integrity  failure  can  occur  if  radiation  of  a  signal  is  either  un¬ 
recognized  by  the  monitoring  equipment  or  the  control  circuits  fail 

to  remove  the  faulty  signal.  Such  a  failure  might  constitute  a  hazard 
if  it  results  in  a  gross  error. 

•  Clearly,  not  all  integrity  failures  are  hazardous  in  all  phases  of  the 
approach.  For  example,  during  the  final  critical  stages  of  the  approach, 
undetected  failures  producing  gross  errors  in  course  width  or  course 
line  shifts  are  of  special  significance,  whereas  an  undetected  change 

in  modulation  depth,  or  loss  of  localizer  and  glideslope  clearance, 
and  localizer  identification  would  not  necessari ly  produce  a  hazardous 
situation.  The  criterion  in  assessing  which  failure  modes  are  relevant 
must  however  include  all  those  fault  conditions  which  are  not  unquestion¬ 
ably  obvious  but  are  deleterious  to  the  automatic  flight  system  or  the 
pi  lot. 

•  With  regard  to  integrity,  since  the  probability  of  occurrence  of  an  un¬ 
safe  failure  within  the  monitoring  or  control  equipment  is  extremely 
remote,  to  establish  the  required  integrity  level  with  a  high  degree  of 
confidence  would  necessitate  an  evaluation  period  many  times  that  needed 
to  establish  the  equipment  MTBF.  Such  a  protracted  period  is  unaccept¬ 
able  and  therefore  the  required  integrity  level  can  only  be  predicted 

by  rigorous  design  analysis  of  the  equipment. 


•  The  MTBF  of  equipment  is  governed  by  basic  construction  and  operating 
environment.  Equipment  design  should  employ  the  most  suitable  engin¬ 
eering  techniques,  materials  and  components,  and  rigorous  inspection 
should  be  applied  during  manufacture.  It  is  essential  to  ensure  that 
equipment  is  operated  within  the  environmental  conditions  specified 
by  the  manufacturer.  The  manufacturer  should  be  requested  to  provide 
the  details  of  the  design  to  enable  the  MTBF  and  continuity  of  service 
to  be  calculated.  It  is  recommended  that  the  equipment  MTBF  should  be 
confirmed  by  evaluation  in  an  operational  environment  to  take  account 
of  the  impact  of  operational  factors,  i.e.,  airport  environment,  in¬ 
clement  weather  conditions,  power  availability,  quality  and  frequency 
of  maintenance,  etc.  For  integrity  and  continuity  of  service  levels 
2,  3  or  4,  the  evaluation  period  should  be  sufficient  to  determine 
achievement  of  the  required  level  with  a  high  degree  of  confidence. 

•  Continuity  of  service  performance  may  be  demonstrated  by  means  of 
MTBO  (Mean  Time  Between  Outages)  where  an  outage  is  defined  as  any  un¬ 
anticipated  cessation  of  s igna I- i n-space.  It  is  calculated  by  dividing 
the  total  facility  up-time  by  the  number  of  operational  failures.  MTRF 
and  MTBO  are  not  always  equivalent,  as  not  all  equipment  failures  will 
necessarily  result  in  an  outage,  eg.,  an  event  such  as  a  failure  of  a 
transmitter  resulting  in  the  immediate  transfer  to  a  standby  trans¬ 
mitter.  The  minimum  MTBO  values  expected  for  the  continuity  of  service 
have  been  derived  from  several  years  of  operational  experience  of  many 
systems.  To  determine  whether  the  performance  record  of  an  individual 

I LS  system  justifies  its  assignment  to  level  2,  3  or  4  requires  a 
judicious  consideration  of  such  factors  as: 

1)  the  performance  record  and  experience  of  system  use  established 
over  a  suitable  period  of  time; 

2)  the  average  achieved  MTBO  established  for  this  type  of  IIS;  and 

3)  the  trend  of  failure  rates 

An  assigned  designation  should  not  be  subject  to  frequent  change. 
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The  GRN-27  I LS  was  manufactured  by  Texas  Instruments  to  U.S.  Department  of 
Defense  specifications,  and  has  been  used  mainly  for  Category  II  Operations. 

A  few  Mark  III  I LS  units  were  also  manufactured  by  Texas  Instruments.  Those 
units  utilize  many  of  the  same  subassemblies  as  the  GRN-27  but  incorporate 
more  extensive  monitoring  and  higher  levels  of  redundancy.  The  Tt  Mark  III  I LS 
was  built  to  U.S.  Federal  Aviation  Administration  (FAA)  specifications  at  a 
time  when  ICAO  reliability  guidelines  were  general  in  nature  and  long  before 
the  minimums  shown  in  Tabie  2-1  were  proposed. 

With  little  ICAO  guidance,  the  FAA  set  reliability  requirements  on  the  Tl 
Mark  III  System  with  the  goal  that  the  use  of  the  I LS  would  be  as  safe  as  a 
person  can  predictably  expect  to  be  in  day-to-day  activities  (Reference  2). 

Those  requirements  were  as  follows:  The  theoretical  probability  of  a  poten¬ 
tially  hazardous  signal  fault,  including  loss  of  signal,  during  any  10-second 
period  for  the  localizer  and  any  5-second  period  for  the  glide  slope,  should 
not  exceed  1.0  X  10  7  due  to  equipment  failure.  The  results  of  a  failure 
modes,  effects  and  criticality  analysis  of  the  Ti  Mark  III  I LS  show  that  the 
system  meets  the  FAA  reliability  requirements  (Reference  3).  As  will  be  shown 
in  Section  5,  the  Tl  Mark  III  I LS  also  meets  the  standards  set  for  all  categories 
i n  Table  2-1 . 

There  is  currently  a  requirement  to  qualify  many  of  the  U.S.  GRN-27  I LS  in¬ 
stallations  for  Category  III  operational  status.  As  will  be  shown  In  Section 
5,  as  currently  operated,  the  GRN-27  I LS  will  not  meet  the  Category  III  re¬ 
liability  limits  In  Table  2-1.  Assuming  that  the  standards  set  'n  Table  2-1 
are  adopted,  the  GRN-27  will  either  have  to  be  replaced  or  modified  to  meet 
these  standards. 
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3.0 


SYSTEM  DESCRIPTION 


The  GRN-27  I LS  consists  of  a  localizer  station  which  provides  horizontal  guid¬ 
ance,  a  glideslope  station  which  provides  vertical  guidance,  and  a  remote 
•  control  unit  which  displays  the  system  status  and  provides  remote  control  of 

the  system.  An  I LS  installation  may  also  include  distance  measuring  equip- 
■  ment  (DME)  and  up  to  three  marker  beacons;  however,  DME  and  marker  beacons  are 

not  included  in  this  analysis,  and,  therefore,  will  not  be  described. 

3. 1  LOCALIZER 

3.1.1  LOCALIZER  SIGNAL  DESCRIPTION 

Each  localizer  is  operated  at  a  station  frequency  which  is  selected  from  the 
range  of  108.1  to  111.95  MHz.  The  localizer  station  radiates  signals  at  two 
slightly  different  frequencies.  A  course  signal,  with  a  carrier  frequency 
4.75  KHz  above  the  assigned  station  frequency  is  radiated  in  a  relatively 
narrow  beam  pattern.  The  course  signal  provides  guidance  on  or  near  the 
approach  centerline.  A  clearance  signal,  with  a  carrier  frequency  4.75  KHz 
below  the  assigned  station  frequency  is  radiated  at  lower  power  over  a  la-ger 
sector.  This  clearance  signal  provides  guidance  to  the  narrow  sector  centered 
on  the  course  centerline  where  the  course  signal  can  be  acquired.  The  course 
and  clearance  beam  patterns  are  depicted  in  Figure  3-1. 

A  single  detector  in  an  aircraft  detects  both  the  course  and  clearance  signals, 
responding  only  to  the  stronger  course  signal  near  the  centerline,  and  res¬ 
ponding  only  to  the  clearance  signal  some  distance  from  the  centerline.  This 

1 

type  of  operation  is  called  a  two  frequency  capture-ef feet  system.  Both  course 
and  clearance  signals  contain  90  and  150  Hz  modulation  components  combined  in 
the  equipment  and  in  the  field  to  produce  a  predominance  of  90  Hz  modulation 
to  the  left  of  the  runway  centerline  and  a  predominance  of  150  Hz  modulation 
to  the  right  of  the  centerline  (as  viewed  from  the  approach  end  of  the  runway). 
On  the  centerline  the  90  and  150  Hz  modulation  components  are  equal  in  strength. 

i 
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The  localizer  course  and  clearance  signals  are  formed  using  the  same  technique. 
The  carrier  is  modulated  by  90  and  150  Hz  tones,  producing  a  signal  with  the 
following  frequency  components:  C,  C+90,  C-90,  C+150,  C-150;  where  C  is  the 
carrier  frequency.  A  signal  with  all  five  frequency  components,  referred  to 
as  carrier  plus  sidebands  or  C+SB,  is  radiated  in  a  beam  with  maximum  signal 
strength  on  the  course  centerline,  as  depicted  In  Figure  3-1.  Another  signal 
is  formed  without  the  carrier  frequency,  referred  to  as  sidebands  only  or  SBO, 
and  is  radiated  in  a  double  beam  pattern  with  a  null  on  the  centerline,  also 
depicted  In  Figure  3-1. 

In  the  SBO  signal,  each  frequency  component  In  one  of  the  two  beams  is  180° 
out  of  phase  with  the  same  frequency  components  In  the  other  beam.  Further, 
the  signals  fed  to  the  antenna  elements  are  adjusted  such  that  C+90  and  C-90 
signals  in  the  left  SBO  beam  are  in  phase  with  those  signals  in  the  C+S3, 
while  the  C+150  and  C-150  signals  in  the  left  SBO  beam  are  180°  out  of 
phase  with  those  signals  in  the  C+SB.  Therefore,  the  90  Hz  sidebands  in  the 
C+SB  and  SBO  on  the  left  combine  to  produce  a  weaker  signal.  Similarly,  on 
the  right  the  150  Hz  sidebands  combine  to  produce  a  stronger  signal  than  the 
combined  90  Hz  sidebands. 

The  differences  between  the  90  and  150  Hz  modulation  components  Is  positive 
on  one  side  of  the  centerline,  negative  on  the  other  side  and  increases  In 
magnitude  with  angular  displacement  from  the  centerline.  The  difference  is 
therefore  used  in  aircraft  to  provide  angular  guidance.  Specifically,  air¬ 
borne  equipment  computes  the  difference  between  the  two  modulation  components 
divided  by  the  carrier  signal  level.  This  computed  quantity,  called  the 
difference  in  depth  of  modulation  (DOM),  Is  displayed  showing  the  angular 
position  of  the  aircraft  with  respect  to  the  centerline.  The  airborne  equip¬ 
ment  also  computes  the  sum  of  the  two  modulation  components  divided  by  the 
carrier  signal  level,  called  the  sum  of  depth  of  modulation  (SOM).  This  is 
computed  to  ensure  that  the  total  modulation  of  the  radiated  signal  is  ade¬ 
quate,  and,  if  it  Is  not,  an  Indicator  Is  displayed  prohibiting  use  of  the 
signal  for  guidance.  The  RF  power  level  Is  similarly  monitored  to  ensure 
adequate  signal  strengths. 


An  Identification  unit,  which  provides  the  pilot  with  Identification  of  the 
localizer,  generates  a  1020  Hz  Morse  Code  Identification  signal  which  modulates 
both  the  course  and  clearance  carriers. 

3.1.2  LOCALIZER  FUNCTIONAL  DESCRIPTION 


As  Indicated  in  Figure  3-1,  the  localizer  contains  two  identical  transmitter 
systems,  either  of  which  can  be  designated  as  "main”  while  the  other  is  "stand¬ 
by".  Both  transmitters  are  connected  to  the  changeover  and  test  assembly  which 
channels  signals  from  the  operating  transmitter  to  the  antennas  via  the  dis¬ 
tribution  circuits.  During  ordinary  operations,  the  main  transmitter  provides 
the  radiated  signal  while  the  standby  transmitter  Is  off. 

The  radiated  signal  is  monitored  by  integral  monitors  and  a  far  field  monitor¬ 
ing  system.  Integral  monitoring  is  accomplished  by  sampling  the  signal  In  each 
of  the  antenna  radiating  elements.  These  signals  are  transferred  to  the  re¬ 
combining  circuits  where  the  signals  from  all  the  elements  are  combined  as  they 
would  be  combined  in  space.  The  combination  circuits  provide  two  output  sig¬ 
nals,  one  which  would  appear  on  the  centerline,  and  another  which  would  appear 
at  a  small  angular  displacement  from  the  centerline.  This  procedure  Is  applied 
to  both  the  course  and  clearance  antennas  producing  four  signals  to  be  processed: 
course  (on  course),  course  (sensitivity),  clearance  (on  course),  and  clearance 
(sensitivity). 

Each  of  the  recombined  signals  is  sent  to  a  peak  detector  which  provides  Input 
to  a  pair  of  monitor  channels.  Two  monitor  channels  are  used  for  each  signal 
to  enhance  the  system  reliability.  All  monitor  channels  compute  DDM,  SDM,  and 
RF  power  level  of  the  Input  signal  and  then  check  these  values  against  speci¬ 
fied  tolerances  for  the  signal  being  processed.  If  any  of  the  computed  par¬ 
ameters  Is  out-of-tolerance,  an  alarm  signal  Is  sent  to  the  control  unit. 

The  far  field  monitoring  (FFM)  system  Is  located  on  the  extended  runway  center- 
line,  typically  between  3,000  and  4,000  feet  from  the  approach  end  of  the  run¬ 
way.  It  consists  of  an  antenna  and  circuitry  to  detect  and  relay  an  alarm 
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condition.  The  signal  detected  by  the  antenna  is  divided  and  sent  to  two  re¬ 
ceivers,  each  of  which  provide  output  to  a  monitor  channel.  Each  monitor 
channel  computes  the  DDM,  SOM  and  RF  levels  and  checks  these  levels  against 
tolerance  limits,  as  in  the  integral  monitor  system.  An  out-of -tolerance 
condition  must  persist  for  a  predeterm! ned  delay  period  of  70  to  120  seconds 
before  the  FFM  sends  an  alarm  signal  to  the  system  central  unit.  The  process¬ 
ing  of  the  monitor  channel  outputs  as  well  as  the  time  delay  circuitry  is  in 
the  FFM  combining  circuits. 

Although  the  FFM  Is  designed  to  monitor  DOM,  SOM  and  RF,  as  currently  operated 
only  an  out-of -tolerance  DOM  can  cause  a  true  alarm  condition.  The  tolerance 
limits  for  the  SOM  test  circuitry  have  been  set  so  wide  as  +o  render  the  SOM 
monitoring  ineffective.  Further,  one  of  the  two  FFM  monitor  channels  is  ad¬ 
justed  to  accept  a  wide  variation  in  RF  levels.  Therefore,  the  transmission 
of  a  signal  with  incorrect  power  level  will  result  in  a  monitor  mismatch  from 
the  FFM  and  not  an  alarm  condition. 

The  system  control  unit  processes  the  output  from  ail  integral  monitoring 
system  channels  as  well  as  the  output  of  the  FFM  and  a  temperature  alarm.  If 
both  monitor  channels  which  process  the  same  signal  produce  an  alarm,  a  trans¬ 
fer  is  effected  from  the  main  to  the  standby  transmitter.  If  the  system  Is 
operating  with  the  standby  transmitter  when  the  alarms  are  received,  the  system 
is  shut  down.  If  an  alarm  condition  is  received  from  the  FFM,  the  system  is 
shut  down  independent  of  which  transmitter  is  operating.  A  temperature  alarm 
also  causes  a  system  shut  down,  although  It  Is  possible  to  configure  the 
control  unit  such  that  a  temperature  alarm  only  results  In  an  "abnormal"  In¬ 
dication.  An  alarm  from  one  monitor  channel  within  a  pair  results  In  a  "mon¬ 
itor  mismatch"  condition,  with  no  direct  effect  on  the  system  operation. 

3.2  GLIDES  LOPE 

3.2.1  GLIDES  LOPE  SYSTEM  VARIATIONS 

All  glideslope  systems  provide  vertical  guidance  by  producing  signals  with  a 
predominance  of  a  90  Hz  modulation  component  above  the  descent  path,  and  a 


predominance  of  a  150  Hz  component  below.  The  straight  line  descent  path  Is 
formed  where  the  modulation  components  are  equal  in  strength.  Aircraft  systems 
compute  DOM  to  determine  the  aircraft  elevation  with  respect  to  the  descent 
path.  The  glldeslope  signal  processing  performed  In  an  aircraft  is  essentially 
the  same  as  the  corresponding  localizer  signal  processing. 

The  GRN-27  glldeslope  is  manufactured  in  two  versions,  one  frequency  and  two 
frequency.  The  one  frequency  version  is  so  designated  because  only  a  course 
signal  Is  radiated  while  course  and  clearance  signals  are  both  radiated  In  the 
two  frequency  system.  The  one  frequency  system  can  be  configured  to  generate 
one  of  two  course  radiation  patterns,  and  depending  on  the  pattern  selected, 
the  installation  Is  designated  as  a  "null  reference"  or  "sideband  reference" 
system.  The  selection  of  glides  I  ope  system  or  configuration  to  be  used  at  any 
given  site  Is  generally  based  on  the  degree  of  Irregularity  of  the  terrain  In 
the  aircraft  approach  area. 

The  block  diagram  and  radiation  patterns  for  the  one  frequency  glides  lope  are 
shown  In  Figure  3-2.  The  null  reference  vertical  radiation  pattern  is  essen¬ 
tially  the  same  as  the  localizer  horizontal  pattern.  The  C+SB  signal  has  a 
maximum  signal  strength  on  the  descent  path  while  the  SBO  signal  has  a  null  on 
the  path.  The  relative  phasing  of  the  signals  Is  adjusted  to  produce  a  pre¬ 
dominance  of  the  90  Hz  modulation  component  above  the  descent  path,  and  a  pre¬ 
dominance  of  the  150  Hz  component  below  the  descent  path.  The  one  frequency 
sideband  reference  system  produces  less  low  angle  radiation  to  reduce  Inter¬ 
ference  caused  by  reflected  radiation  from  low  angle  obstacles.  In  this  system 
the  C+SB  beam  Is  broader  and  shifted  up  with  respect  to  the  null  reference  C&SB 
beam.  This  Is  accomplished  by  reducing  the  height  of  the  lower  antenna.  Also, 
the  SBO  beam  pattern  of  both  configurations  has  a  null  on  the  descent  path, 
although  the  lower  SBO  beam  in  the  sideband  reference  system  has  its  angle  of 
maximum  signal  shifted  up  and  has  lower  power  than  the  correspond! ng  null  refer 
ence  beam.  This  is  accomplished  by  introducing  an  SBO  signal  to  the  lower  an¬ 
tenna  which  is  out  of  phase  with  the  signal  to  the  upper  antenna,  and  by  re¬ 
ducing  the  height  of  the  upper  antenna  as  well  as  the  lower  antenna. 

The  two  frequency  glldeslope  block  diagram  and  radiation  pattern  in  shown  In 
Figure  3-3.  This  system  differs  from  the  one  frequency  system  in  that  a  clear¬ 
ance  signal  Is  radiated  and  three  antennas  are  used.  By  using  the  middle  and 


lower  antennas  for  the  C&SB  signal,  the  C&SB  beam  Is  made  narrower  with  a  max¬ 
imum  above  the  descent  path.  All  three  antennas  are  used  for  the  SBO  signal, 
making  the  lower  SBO  beam  narrower  and  shifted  further  up  than  in  the  sideband 
reference  system.  Because  of  this  reduction  in  course  radiation  at  the  lower 
angle,  a  clearance  signal  is  radiated  to  provide  fly  up  guidance  below  the 
course  signal . 

3.2.2  GLI OESLOPE  FUNCTIONAL  DESCRIPTION 


Both  glides  lope  systems  are  similar  to  the  localizer  in  the  use  of  a  main  and 
a  standby  transmitter,  changeover  and  test  panel.  Integral  monitoring,  re¬ 
combination  circuits,  redundant  monitor  cnannels  and  a  control  unit.  The 
glides  lope  systems  utilize  a  near  field  monitor,  however,  as  opposed  to  the 
far  field  monitor  used  with  the  localizer.  A  near  field  monitor  alarm  is  de¬ 
layed  by  two  seconds  before  the  glides  lope  is  shut  down.  Other  monitoring  is 
essentially  the  same  for  the  glideslope  as  for  the  localizer.  The  transfer 
and  shutdown  operation  of  the  control  unit  is  also  essentially  the  same  as 
that  of  the  localizer  control  unit. 

The  one  frequency  glideslope  transmitter  systems  do  not  include  clearance 
transmi tters,  obv iati ng  the  need  for  clearance  monitoring  equipment.  In  the 
null  reference  configuration,  the  SBO  signal  Is  channelled  through  the  change¬ 
over  and  test  panel  to  the  upper  antenna,  while  the  C+SB  signal  is  channelled 
to  the  lower  antenna.  In  the  sideband  reference  configuration,  the  distrib¬ 
ution  circuits  are  used  to  direct  SBO  to  the  upper  antenna  and  SBO  as  well  as 
C+SB  to  the  lower  antenna.  The  magnitude  and  phases  of  the  SBO  signals  to  the 
upper  and  lower  antenna  are  set  so  that  on  the  descent  path  the  two  signals 
cancel,  producing  an  SBO  null  In  the  radiation  pattern. 

The  two  frequency  glideslope  transmitter  system  contains  a  clearance  trans¬ 
mitter.  All  signals  from  the  transmitter  are  sent  to  the  antenna  via  the  dis¬ 
tribution  circuits.  In  the  distribution  circuits  phases  and  amplitudes  are 
adjusted,  after  which  signals  are  combined  and  sent  to  each  antenna.  The  SBO 
signal  from  the  middle  antenna  is  zero  on  the  descent  path  while  the  SBO  sig¬ 
nals  from  the  upper  and  lower  antenna  cancel  on  the  descent  path,  resulting 
In  a  total  SBO  null  on  the  descent  path. 
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Figure  3.3.  Two  Frequency  Olidaatopa  Static  Functional  Block  Diagram. 


REMOTE  CONTROL/MONITOR  PANEL 


The  remote  control /monitor  panel  receives  and  displays  status  information 
from  the  localizer  and  glides (ope  and  allows  remote  control  of  transmitter 
selection.  A  separate  control-indicator  module  is  used  for  each  localizer 
and  each  glideslope  system  Installed.  Each  control- i ndi cator  module  has  the 
following  four  indicator  lamps: 


Mai  n 

Standby 

Off 

Abnorma / 


i ndi cates 
i nd i cates 
i nd i cates 
/ nd i cates 
mismatch. 


that  the  main  transmitter  is  operating 
that  the  standby  transmitter  is  operating 
system  is  off 

abnormal  condition,  for  example,  monitor 


In  addition  to  the  indicator  lamps,  there  are  the  following  two  switches  on 
the  control-indicator  module: 

Cycle  -  momemtary  contact  switch  which  causes  the  transmitters 
to  cycle  one  step  in  a  ma i n-of f-standby-of f-ma i n-etc. 
sequence  each  time  the  cycle  switch  is  actuated. 

Silence  -  silences  an  alarm  buzzer  which  sounds  when  an  abnormal 
condition  or  intercom  call  is  initiated. 
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FAILURE  ANALYSIS 


4.1  SPECIFIC  OBJECTIVES 

This  analysis  provides  the  calculation  of  three  types  of  failures  of  the  ra¬ 
diated  I LS  signal: 

1.  Faulty  Signal  -  a  radiated  signal  which  is  out-of-tolerance  with 
respect  to  one  or  more  of  its  monitored  parameters,  except  for  the 
i dent i f i cat i on  component. 

2.  Hazardous  Signal  -  a  signal  which  is  out-of-tolerance  with  respect 
to  on-course  DDL'  and/or  sensitivity,  thus  resulting  in  a  potentially 
hazardous  situation. 

3.  Total  loss  of  signal,  or  shutdown  of  the  localizer  and/or  glideslope 
s  t tit  i  on  (s  ) . 

In  the  computation  of  a  faulty  signal,  it  would  be  desirable  to  compute  the 
probability  that  any  liven  parameter  will  exceed  the  tolerance  limits  set 
within  the  monitor  channels  for  that  parameter.  However,  it  is  virtually  im¬ 
possible  to  compute  such  a  probability  since  it  would  be  necessary  to  know  the 
probability  of  every  failure  mode  or  degree  of  failure  for  each  electronic 
component  in  the  system.  Such  data  is  not  available.  Further,  even  if  the 
data  were  available,  the  consideration  of  all  piecepart  failure  modes  would 
be  far  beyond  the  scope  of  this  effort.  Therefore,  it  has  been  assumed  that 
any  piece-part  failure  or  combination  of  failures  which  could  significantly 
degrade  the  radiated  signal  would,  upon  failure,  produce  an  out-of-tolerance 
condition.  The  results  presented  in  Reference  3  on  the  Mark  III  System  imply 
that  the  same  fundamental  procedure  was  used  in  that  study. 

The  basic  I LS  signal  parameters  which  are  monitored  to  ensure  signal  integrity 
are  the  fol lowi ng: 
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o  on-course  DDM 
o  on-course  SDM 
o  on-course  RF  power 
o  course  width  (sensitivity) 

o  clearance  DOM  (localizer  and  two  frequency  glideslope  only) 

A  signal  for  which  any  one  of  these  parameters  exceeds  its  tolerance  is  con¬ 
sidered  faulty.  However,  only  signals  with  an  incorrect  on  course  '''DM  and/or 
course  width  would  create  a  potentially  hazardous  situation.  An  incorrect 
on-course  DDM  could  be  the  result  of  a  shift  of  the  centerline  or  the  complete 
loss  of  the  centerline.  An  Incorrect  course  width  would  be  the  result  of  a 
signal  producing  zero,  or  very  smal  I,  DDM  everywhere.  These  fai lures  must  be 
considered  hazardous. 

The  guidance  provided  by  an  I LS  is  not  very  sensitive  to  moderate  changes  in 
on-course  SDM.  In  addition,  the  width  monitor  will  indirectly  monitor  and 
prevent  excessive  SDM  changes.  Also,  if  the  SDM  level  falls  below  an  accept¬ 
able  minimum,  a  flag  appears  in  airborne  I LS  receivers  indicating  that  the 
signal  should  not  be  used.  Similarly,  airborne  receivers  monitor  RF  power 
level,  displaying  a  flag  when  the  signal  is  not  usable.  Therefore,  these  par¬ 
ameters  are  not  considered  critical.  With  regard  1o  the  i.  prance  signal,  it 
is  assumed  that  the  critical  portion  of  the  landing  seq^'n  e  occurs  in  the 
final  stages  before  touchdown  during  which  the  aircraft  would  be  within  the 
course  signal.  It  is  therefore  assumed  that  a  faulty  clearance  signal  is  not 
hazardous. 

4.2  GENERAL  APPROACH 


All  failure  calculations  were  first  performed  for  the  GRN-27  as  it  Is  currently 
configured  and  operated.  A  number  of  possible  changes  in  critical  operating 
procedures  and  equipment  were  then  considered  to  determine  the  most  cost- 
effective  method  of  improving  the  system  reliability. 


The  reliability  analysis  in  this  study  is  based  on  the  procedure  used  in  the 
Mark  III  FMECA  (Reference  3),  modified  to  reflect  the  difference  between  the 


Mark  III  and  GRN-27  equipment  and  operating  procedure.  Briefly,  all  possible 
subsystem  failure  modes  having  a  direct  effect  on  the  system  operational  status 
are  determined  from  a  functional  block  diagram  of  the  system.  The  failure  rate 
for  each  failure  mode  is  then  computed  from  the  total  failure  rate  of  all  piece- 
part  components  contributing  to  that  mode  within  the  specific  subsystem.  The 
various  system  failure  probab i ! i t i es  are  computed  using  equations  which  reflect 
the  combinations  and  sequences  of  events  which  must  occur  to  generate  the 
corresponding  failure  effects.  All  events  and  combinations  of  events  which  con¬ 
tribute  s ign i f i cant  I y  to  the  radiation  of  a  faulty  signal  or  station  shutdown 
are  included  in  the  equations.  Many  failure  modes  involving  multiple  indepen¬ 
dent  failures  were  not  included  in  the  computation  since  their  probability  of 
occurrence  could  be  estimated  to  be  negligible. 

In  this  study,  the  failure  modes  and  rates  given  in  Reference  3  were  used  un¬ 
less  differences  between  the  GRN-27  and  Mark  III  systems  necessitated  modifi¬ 
cations,  or  unless  an  oversight  or  need  for  refinement  of  procedures  was  dis¬ 
covered  in  the  Mark  III  study.  The  significant  changes  made  are  explained  in 
the  following  section. 

In  the  Mark  III  study,  part  failure  rates  were  derived  using  RANG  Reliability 
Notebook,  Volume  I  I  (Reference  5).  For  the  subassemblies  with  failure  rates 
requiring  revision  for  this  study,  failure  modes  were  determined  and  failure 
rates  calculated  following  the  methodology  of  the  Mark  III  FMECA.  Part  failure 
rates  were  derived  using  Ml L-HDBK-21 7H,  Military  Standardization  Handbook, 
Reliability  Predictions  of  Electronic  Equipment  (Reference  4).  Assumptions 
made  for  the  part  failure  rate  analysis  are  the  same  as  those  used  in  the 
Mark  I  I  I  study: 

1.  Equipment  ambient  temperature  is  25°  C. 

2.  Environment  is  "ground  fixed" 
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4.3 


MODIFICATIONS  OF  THE  FAILURE  ANALYSIS  MADE  FOR  THIS  STUDY 


4.3.1  RECOMPUTED  FAILURE  RATES 

The  only  subassemblies  for  which  component  failure  rates  had  to  be  completely 
redone  due  to  differences  between  the  GRN-27  and  Mark  III  systems  were  the 
control  unit  and  the  far  field  monitor  combining  circuits.  These  subsystems 
are  completely  different  for  the  two  types  of  equipment,  requiring  recalcu¬ 
lation  of  failure  rates  and  reassessment  and  redefinition  of  failure  modes,  to 
reflect  structural  differences.  Also,  combination  of  DDM,  SDM  and  RF  alarms 
from  a  single  monitor  channel  is  done  in  the  control  unit  in  the  Mark  III  system, 
but  is  done  in  the  monitors  in  the  GRN-27.  The  monitor  failure  rates  have  been 
revised  to  include  the  failure  rate  for  the  logic  circuitry  which  does  this 
comb  I n i ng . 

As  will  be  discussed  in  Section  5,  the  course  width  failure  rate  is  the  single 
determining  factor  in  the  hazardous  signal  probability.  Therefore,  it  was 
analyzed  in  detail  and  recomputed  completely. 

The  analysis  revealed  that  only  a  faulty  SBO  signal  could  affect  the  course 
width  while  leaving  the  on-course  signal  unperturbed.  This  is  the  result  of 
the  fact  that  the  SB 0  signal  has  zero  amplitude  on  course  for  all  systems  (see 
Section  3).  Therefore,  any  fault  which  could  alter  the  SBO  signal  before  it 
is  mixed  with  the  C&SB  signal  could  affect  the  course  width.  Such  faults  could 
occur  in  the  modulator  and  changeover  and  test  circuits  in  all  systems,  and  in 
the  distribution  circuits  of  the  localizer.  The  failure  rates  for  failures  re¬ 
sulting  in  a  faulty  s igna I  were  computed  and  used  to  compute  the  probability  of 
a  faulty  course  width. 

This,  in  effect,  is  a  refinement  of  the  procedure  in  the  Mark  III  FMECA,  where 
the  failure  rate  given  for  transmission  of  a  faulty  course  width  includes 
failures  that  would  affect  the  on-course  signal,  and  would,  therefore,  be  de¬ 
tected  by  monitors  other  than  the  course  width  monitors. 
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4.3.2 


REFORMULATED  PROBABILITY  EQUATIONS 


The  differences  between  the  Mark  (It  and  GRN-27  systems  which  contribute  most 
to  the  difference  in  reliability  are  the  levels  of  redundancy  in  the  monitor¬ 
ing  and  control  systems.  The  probability  equations  for  the  Mark  ill  system  in 
Reference  3  were  reformulated  to  reflect  these  differences,  as  itemized  below: 

1.  There  is  no  redundancy  in  the  GRN-27  control  unit.  This  is  the  single 
most  important  difference  in  the  reliability  between  the  GRN-27  and 
the  Mark  III  system.  Squared  terms  in  the  equations  for  the  Mark  III 
system  are  replaced  throughout  by  linear  terms,  with  a  corresponding 
large  increase  in  failure  probability. 

2.  The  GRN-27  has  two  monitor  channels  for  each  monitored  parameter  versus 
three  in  the  Mark  III  system.  The  integral  monitor  factor  in  the 
probability  equations  is  no  longer  squared,  but  becomes  linear,  on  I y  if 
landings  are  allowed  with  a  monitor  mismatch  condition. 

3.  The  GRN-27  has  only  one  peak  detector  for  each  pair  of  integral  monitor 
channels,  whereas  each  monitor  channel  has  a  corresponding  peak  detec¬ 
tor  in  the  Mark  III  system.  This  difference  is  only  critical  with 
respect  to  shutdown  probabilities,  since  the  probability  that  a  peak 
detector  will  fail  in  such  a  way  as  to  simulate  a  signal  that  is  in 
tolerance  with  respect  to  all  parameters  is  negligible. 

4.  In  the  Mark  III  system,  the  standby  transmitter  is  on,  with  its  signal 
monitored  and  fed  into  dummy  loads.  The  standby  transmitter  is  off  in 
the  GRN-27,  and  therefore  cannot  be  monitored.  This  increases  the 
probability  of  hidden  failure  in  the  standby  transmitter  by  removing 
the  factors  representing  the  standby  monitoring  from  the  Mark  III 
equat i ons . 

5.  The  far  field  monitor  has  three  monitor  channels  in  the  Mark  III  system, 
versus  two  in  the  GRN-27.  The  equations  were  revised  to  reflect  this. 
This  difference  is  not  highly  critical  to  the  total  probability  of  a 
faulty  or  hazardous  signal,  since  far  field  monitoring  appears  in  the 
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equations  as  an  additional  redundancy  to  the  Integral  monitoring, 
making  the  term  in  which  it  occurs,  the  course  DDM  term,  much  smaller 
than  the  terms  representing  parameters  not  monitored  by  the  far  field 
montior. 

6.  The  GRN-27  has  no  near  field  monitoring  of  the  localizer  signal.  The 
equations  were  revised  to  reflect  this,  but  for  reasons  similar  to 
those  discussed  above  for  the  far  field  monitor,  this  has  no  great 
effect  on  the  total  probability. 

7.  The  glideslope  antenna  tower  misalignment  detector  alarm  does  not  cause 
a  shutdown  in  the  GRN-27,  buf  only  causes  the  "abnormal"  indicator  to 
light  on  the  remote  control  panel.  The  probability  equations  were  mod¬ 
ified  accord i ng I y. 

8.  In  the  GRN-27  the  near  field  monitor  of  the  glideslope  does  not  send 

an  alarm,  but  only  an  abnormal  Indication,  if  RF  power  is  out  of  toler¬ 
ance.  This  factor  was  added  to  the  corresponding  Mark  III  equation. 

9.  A  failure  in  the  DC/DC  converters  causes  an  alarm  in  Mark  III  but  not 
in  the  GRN-27.  Therefore,  a  converter  failure  could  remain  undetected 
in  the  GRN-27  until  a  maintenance  check  of  the  power  supply.  Limited 
testing  of  the  GRN-27  power  supply  is  performed  every  month,  and  it  is 
assumed  that  a  converter  failure  would  be  detected  during  this  testing. 
The  maximum  duration  of  an  undetected  converter  failure  is  approximately 
720  hours.  This  value  was  used  in  the  computation  of  the  GRN-27  power 
supply  failure  probability.  This  revision  results  in  only  a  negligible 
increase  in  the  total  shutdown  probability. 

10.  A  localizer  antenna  misalignment  detector  (MAD)  is  used  with  the  GRN-27 
and  not  with  the  Mark  III.  This  detector  is  designed  to  shut  the  system 
down  upon  detection  of  an  antenna  misalignment.  The  MAD  unit  has  only 
a  negligible  effect  on  the  course  signal  integrity,  however,  it  does 
affect  the  shutdown  probabl lity.  Shutdown  can  result  from  a  MAD  system 
failure  or  from  the  detection  of  an  antenna  misalignment.  Since  data 
was  unavailable  on  the  mercury  switches  used  in  the  MAD  systems,  it 
was  not  possible  to  compute  the  effect  of  a  MAD  fai lure  on  the  shutdown 
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probability.  Also,  since  the  probability  of  an  antenna  misalignment 
is  unknown,  its  effect  on  the  shutdown  probability  was  not  computed. 

II.  The  generation  of  an  erroneous  signal  Inhibiting  the  monitors  does 

not  lead  to  shutdown  in  the  GRN-27,  as  it  does  in  the  Mark  III  syste'-. 
The  corresponding  terms  were  therefore  deleted  from  the  total  shutdown 
probabi I ity. 

Other  differences  between  the  ORN-27  and  Mark  Ml  System  were  examined  during 
the  failure  analysis  and  found  to  make  no  contribution  to  the  failure  calcu¬ 
lations.  These  include  a  redundant  battery  charger  in  the  Mark  III  system, 
three  far  field  monitor  antenna/receiver  systems  in  the  Mark  III  system  vs.  one 
in  the  GRN-27,  and  DOM  alarms  for  both  Category  II  and  Category  III  tolerance 
i n  the  Mark  III. 

Other  changes  in  the  Mark  III  system  probability  equations  were  required  to 
correct  errors  in  the  methodology  used  for  that  system.  These  changes  are 
described  below: 

1.  In  order  for  a  faulty  or  hazardous  signal  to  be  undetected,  all 
monitoring  of  the  affected  parameter(s)  must  fail  before  the  corres¬ 
ponding  failure  in  the  transmitter  occurs.  To  reflect  this,  a  con¬ 
ditional  probability  factor  must  be  added  to  the  relevant  probability 
equation.  Taking  this  factor  into  account  generally  has  the  effect 
of  increasing  the  calculated  reliability  by  several  orders  of  magni¬ 
tude.  The  addition  of  these  conditional  factors  is  the  single  most 
important  difference  in  methodology  between  this  study  and  the  Mark  III 
FMECA. 

2.  According  to  our  analysis,  it  is  highly  improbable  that  a  faulty  on- 
course  SDM  signal  could  be  radiated  without  causing  an  alarm  from  the 
sensitivity  monitors.  Therefore,  the  failure  rate  for  the  sensitivity 
monitors  has  been  added  to  the  monitoring  factor  in  the  equation  for 
the  probability  of  an  undetected  faulty  SDM  signal. 
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3.  In  the  Mark  III  FMECA,  there  are  no  terms  in  the  relevant  equations 
expressing  the  probability  of  a  failure  of  the  control  unit  to  process 
a  far  field  monitor  alarm.  Such  a  term  has  been  added  to  the  relevant 
equations  in  this  study. 

i 

4.  In  the  shutdown  probability  equations,  the  factor  representing  failures 

in  the  main  transmitter  causing  a  transfer  has  been  replaced  by  a  factor  < 

representing  both  failures  in  the  main  transmitter  causing  a  transfer 
and  failures  in  the  control  unit  capable  of  causing  a  spontaneous  j 

transfer.  j 


5.  The  localizer  far  field  monitor  and  glides  I  ope  antenna  misalignment 
detector  alarms  are  delayed  70  and  135  seconds,  respectively.  During 
these  intervals,  the  localizer  DDM  signal  could  be  out  of  tolerance  at 
the  far  field,  or  the  glideslope  signal  could  be  faulty  due  to  antenna 
misalignment,  without  being  detected  in  either  case.  Terms  expressing 
these  probabilities  have  been  added  to  the  relevant  equations. 

4.4  VARIABLE  FACTORS  AFFECTING  SYSTEM  RELIABILITY  BEHAVIOUR 

4.4.1  EFFECTS  OF  OPERATING  PROCEDURES  AND  EQUIPMENT  CHANGES 


A  monitor  mismatch  on  any  pair  of  integral  monitor  channels  is  equivalent  to  a 
loss  of  redundancy  In  the  monitoring.  For  example  if  there  is  a  monitor  mis¬ 
match  from  the  course  monitor  channels,  a  single  KTdden  failure  In  the  remain¬ 
ing  course  monitor  would  result  in  the  undetected  loss  cf  integral  monitoring 
of  all  on-course  parameters.  Since  there  is  a  significant  difference  in  re¬ 
liability  between  an  operating  procedure  allowing  landings  with  a  monitor 
mismatch  condition  present  and  an  operating  procedure  requiring  matching  non¬ 
alarm  signals  from  all  pairs  of  monitor  channels,  we  have  calculated  the 
failure  probabilities  for  both  cases.  Thus  the  number  of  matching  monitors 
appears  as  a  variable  in  the  probability  equations.  For  the  GRN-27,  the  only 
indication  of  a  monitor  mismatch  on  the  remote  control  panel  Is  the  lighting 
of  the  "abnormal"  Indicator  light.  Therefore,  the  reliability  of  an  I LS  for 
a  particular  category  of  operation  could  be  enhanced  if  the  system  were  down- 
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graded  from  that  category  when  the  remote  abnormal  light  is  on.  Other  faults 
which  would  also  cause  an  abnormal  indication  (and  no  other  indication)  include: 

•  Primary  AC  power  failure 

•  Battery  charger  failure 

•  Equipment  cabinet  temperature  out  of  limits  (optional) 

•  Glides  lope  misalignment  detector  alarm 

•  Localizer  far  field  abnorma I  condition 

Introducing  a  faulty  signal  into  the  various  monitors  and  observing  the  proper 
system  response  verifies  the  integrity  of  the  monitor  and  control  unit  alarm 
processing.  Since  this  is  a  part  of  the  periodic  maintenance  routine,  the 
maintenance  interval  between  such  checks  is  a  determining  factor  in  the  prob¬ 
ability  of  a  faulty  or  hazardous  signal  being  undetected.  This  is  reflected  in 
the  probability  equations  in  Table  0-1  and  D-1.  Current  operating  requirements 
for  the  GRN-27  specify  a  check  of  the  monitors  and  control  unit  once  every  week. 
Therefore,  a  168  hour  maintenance  interval  was  used  to  calculate  the  probabi I- 
ities  in  the  base  case.  The  probabilities  of  faulty  and  hazardous  radiation 
were  also  calculated  for  other  maintenance  intervals  (see  Section  A.  4). 
Hazardous  signal  probability  as  a  function  of  maintenance  interval  was  calcu¬ 
lated  (Figure  5.1)  and  analyzed  to  determine  the  frequency  of  maintenance  checks 

necessary  to  achieve  the  proposed  hazardous  signal  probability  limits  of 
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0.5  X  10  for  localizer  and  glideslope,  respectively. 

The  possibility  of  installing  an  automatic  test  circuit  that  would  be  capable 
of  simulating  faulty  signals  into  the  sensitivity  monitors  was  investigated. 

This  test  circuit  is  discussed  in  Section  7. 

Calculations  were  also  performed  to  determine  the  effect  of  a  system  which 
would  provide  a  remote  indication  of  a  far  field  monitor  alarm  during  the 
70  second  delay  period. 

With  this  system  in  place,  the  corresponding  far  field  monitor  delay  terms  can 
be  dropped  from  the  probability  equations;  which,  however,  result  in  only  a 
negligible  increase  in  equipment  reliability. 


4.4.2  CRITICAL  LANDING  TIME 

The  probability  of  system  shutdown  within  a  specified  landing  time  Is  a  function 
of  the  time  Interval  chosen.  Based  upon  the  consideration  given  in  Section  2, 
shutdown  probabilities  were  calculated  for  various  critical  landing  times 
(Table  5.2).  For  the  purpose  of  calculating  a  base  case  in  Tables  C-2  and  D-2, 
critical  Intervals  of  30  seconds  and  15  seconds  were  used  for  the  localizer  and 
glideslope,  respectively.  This  means  that  the  base  case  presented  Is  also  the 
"worst  case",  with  respect  to  shutdown  probabl I ities,  among  the  various  critical 
intervals  of  interest. 

4.4.3  ARBITRARY  FACTORS 

Two  terms  in  the  probability  calculations  involve  probabilities  that  cannot  be 
calculated  in  terms  of  equipment  failure.  These  probab i I i ti es  are:  1)  the 
probability  that  the  I LS  signal  will  be  faulty  with  respect  to  DOM  tolerance  at 
the  far  field  only  due  to  external  runway  disturbances  during  the  critical  phase 
of  a  landing,  and  2)  the  probability  that  the  g I i des lope  antenna  tower  will  be¬ 
come  misaligned  within  the  preventive  maintenance  interval.  To  avoid  introducing 
extraneous  assumptions  into  the  result,  we  have  set  both  these  factors  to  zero  in 
the  base  case.  Assessment  of  the  impact  of  these  factors  is  made  in  Section  5.3.4. 
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5.0 


RESULTS 


5. 1  FAILURE  MODES.  RATES  AND  EQUATIONS 

All  of  the  failure  modes,  failure  rates  and  probability  equations  relevant 
to  this  study  are  contained  in  Appendices  A  through  D.  The  data  in  these 
appendices  have  been  used  to  compute  the  results  contained  in  this  section, 
and  could  be  used  to  compute  failure  probabilities  for  other  operating  con¬ 
ditions  or  equipment  conf igurat ions. 

Appendices  A  and  B  contain  subassembly  (e.g.  transmitter,  control  unit,  etc.) 
failure  modes  and  rates  for  the  localizer  and  glideslope  respectively.  The 
first  entry  in  the  tables  is  the  name  of  the  subassembly  and  an  identifying 
number.  The  ID  number  is  used  as  the  first  subscript  on  a  set  of  variables 
(lambdas)  which  are  used  to  represent  the  failure  rates  in  failure  probability 
equations.  A  brief  description  of  the  function  performed  by  each  listed  sub- 
assembly  is  contained  in  the  third  column. 

The  fourth,  fifth  and  sixth  columns  contain  the  failure  modes,  the  effect  of 
each  fai lure  mode  on  the  system  and  rate  of  fai lure  for  each  mode.  Each  fa i I- 
ure  mode  represents  piecepart  failures  which  could  cause  or  contribute  to 
that  mode.  The  failure  rates  presented  in  column  six  represent  a  worst  case 
since  total  piecepart  failure  rates  are  used  even  though  a  piecepart  may  have 
failure  modes  which  do  not  contribute  to  the  subassembly  failure  mode  considered. 

The  failure  modes  within  a  subassembly  are  Identified  by  a  letter.  In  many 
cases,  failure  modes  will  small  differences  between  them  are  categorized  under 
one  failure  mode.  These  variations  within  a  failure  mode  are  identified  by  a 
number  appended  to  the  letter  designating  the  overall  mode.  The  letter  or 
letter  and  number  combination  are  used  as  subscripts,  following  the  subassembly 
ID  subscript,  to  identify  the  particular  failure  rate. 

As  indicated  previously,  most  of  the  modes  and  rates  used  for  this  study  are 
the  same  as  those  used  in  the  Mark  III  FMECA.  Failure  rates  in  Appendices  A 
and  B  which  are  different  from  the  corresponding  rates  in  the  Mark  III  FMECA 
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are  identified  by  an  asterisk  on  the  failure  rate  variable.  Failure  rates 
for  failure  modes  which  were  not  included  in  the  Mark  III  FMECA  are  identified 
by  a  double  asterisk.  Many  failure  modes  listed  in  the  Mark  III  FMECA  are 
not  included  in  this  analysis  either  because  the  mode  does  not  exist  in  the 
GRN-27,  or,  to  affect  the  signal,  the  mode  must  occur  concurrently  with  two 
or  more  other  modes,  such  occurrence  being  improbable. 

Appendices  C  and  D  contain  the  faulty  signal  and  shutdown  probability  calcu¬ 
lations  for  the  localizer  and  glideslope,  respectively.  For  each  type  of 
faulty  signal  considered,  an  equation  is  presented  representing  the  failure 
modes,  combinations  of  failure  modes,  and  sequences  of  failure  modes  which 
must  occur  to  produce  that  faulty  signal.  The  values  of  the  variables  in  the 
probability  equations  are  preserved  and  used  in  two  example  calculations.  One 
calculation  is  shown  assuming  landings  would  not  be  allowed  after  a  monitor 
mismatch.  Also,  a  one  week  maintenance  interval  has  been  assumed  in  all 
example  calculations. 

The  shutdown  probability  calculations  are  shown  in  Tables  C-2  and  D-2  for  the 
localizer  and  glideslope  respectively.  These  results  apply  to  a  system  which 
is  operating  on  the  main  transmitter  at  the  beginning  of  the  critical  landing 
period.  The  shutdown  calculations  are  separated  into  single  failures  result¬ 
ing  in  shutdown,  and  various  categories  of  failure  combinations,  including 
a  failure  causing  a  transfer  to  standby,  then  a  failure  causing  shutdown. 

As  was  done  for  the  faulty  signal  probabilities,  shutdown  probability  equa¬ 
tions  are  presented  along  with  the  value  of  all  variables  in  each  equation. 
Example  calculations  were  also  shown,  using  a  critical  time  of  thirty  seconds 
for  the  localizer  and  15  seconds  for  the  glideslope. 

5.2  SUMMARY  OF  RESULTS 

Table  5.1  contains  a  summary  of  the  results  of  the  reliability  analysis,  giving 
the  reliability  of  the  GRN-27  for  various  combinations  of  operating  procedures 
and  critical  landing  intervals.  The  headings  divide  the  body  of  the  table 
into  four  columns,  each  of  which  corresponds  to  the  set  of  operating  proced¬ 
ures  specified  by  the  headings  above  it.  Assumptions  regarding  critical 
landing  times  affect  shutdown  probabilities  only  and,  therefore,  are  shown 
in  the  shutdown  section  of  the  table. 


I US  USE  ALLOWED  WITH  ABNORMAL  INDICATION 


Table  5.1  System  Integrity  and  Continuity 


The  probabilities  shown  in  Table  5.1  do  not  take  into  consideration  external 
runway  disturbances  which  can  degrade  the  radiated  signal.  Also,  the  poss¬ 
ibility  of  antenna  support  misalignment  for  either  the  localizer  or  glide- 
slope  are  not  included  In  the  tabulated  results.  The  faulty  signal  and 
shutdown  probability  equations  in  Appendices  C  and  D  contain  terms  which 
include  the  probabilities  of  runway  disturbances  or  misalignment.  However, 
since  these  probabilities  are  unknown,  the  results  in  Table  5.2  were  computed 
assuming  these  probabilities  to  be  zero. 

The  faulty  signal  probabilities  shown  are  worst  case  values.  Each  is  the 
sum  of  probabilities  of  different  types  of  faulty  signal  (e.g.  faulty  DDM, 

SOM,  RF,  etc.)  and  the  failure  rates  for  certain  control  unit,  monitor  and 
transmitter  failure  modes  are  included  in  more  than  one  term  contributing  to 
the  tota  I . 

The  shutdown  probability  is  primarily  determined  by  the  probability  of  single 
part  failures  causing  shutdown  during  the  critical  time  interval.  Therefore, 
the  shutdown  probability  is  essentially  directly  proportional  to  the  critical 
time,  as  can  be  verified  from  Table  5.1. 

Results  are  presented  for  critical  time  intervals  of  30,  15  and  10  seconds 
for  the  localizer,  and  15  and  5  seconds  for  the  glideslope.  The  30  and  15 
second  results  can  be  used  to  determine  whether  the  proposed  ICAO  reliabi  I  ity 
standards  can  be  met,  while  the  10  and  5  second  results  can  be  used  to  compare 
against  the  results  of  previous  analyses,  such  as  the  Mark  III  FMECA. 

Al I  the  results  in  Table  5.1  assume  the  system  is  operating  on  the  main  trans¬ 
mitter  before  a  landing  attempt  is  allowed.  If  either  the  localizer  or 
glideslope  is  operating  with  the  standby  transmitter,  single  transmitter  com¬ 
ponent  failures  could  cause  a  shutdown  of  the  station.  For  the  localizer, 

the  total  failure  rate  for  single  failures  in  the  transmitter  that  would  cause 
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a  shutdown  when  operating  on  standby  is  83.11  X  10  '.  The  corresponding 
figure  for  the  glideslope  is  36.01  X  10  6.  Adding  these  to  the  respective 
totals  for  single  failures  causing  shutdown  (pages  C-16  and  0-16),  and  re- 
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moving  +he  probabilities  for  failure  modes  that  cannot  occur  when  operating 
on  standby,  gives  the  following  probabilities  of  shutdown: 

Localizer  (30  second  interval)  8.65  X  10  ^ 

Glides  lope  (15  second  Interval)  2.07  X  10  ^ 

As  noted  with  respect  to  Table  5.1,  shutdown  probabilities  are  essentially 
independent  of  maintenance  interval  and  whether  operation  is  allowed  with  a 
monitor  mismatch. 

Hazardous  signal  probability  is  the  same  whether  operation  is  with  the  main 
or  s+andby  transmitter. 

5 . 3  SAMPLE  DETA I  LED  RESULTS 

Each  faulty  signal  probability  listed  in  Table  5.1  is  the  sum  of  the  probabil¬ 
ities  of  a  number  of  different  types  of  faulty  signal  (ODM,  SOM,  etc.). 
Similarly,  the  shutdown  probabilities  are  the  sum  of  the  probabilities  of  a 
number  of  different  shutdown  modes.  To  show  how  the  results  in  Table  5.1  were 
obtained,  it  is  useful  to  list  detailed  failure  probabilities  for  a  few  of  the 
cases  in  the  table.  The  cases  selected  involve  the  localizer  and  two  frequency 
glides  lope,  a  one-week  interval  between  system  checks,  and  30  and  15  second 
critical  landing  intervals  for  the  localizer  and  glideslope  respect? ve / y. 
Separate  results  are  presented  assuming  landings  are  allowed  with  a  monitor 
mismatch  and  assuming  landings  are  not  allowed  with  a  mismatch.  These  are 
the  cases  for  which  calculations  were  performed  in  Appendices  C  and  D. 

Table  5.2  contains  the  detailed  results  assuming  landings  would  be  allowed 
with  a  monitor  mismatch  (referred  to  as  the  base  case  in  the  Appendices). 

This  corresponds  to  the  current  configuration  and  operation  of  the  system. 

The  precise  definition  of  each  of  the  probabilities  is  contained  in  Appen¬ 
dices  C  and  D. 
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Table  5.2  Base  Case  Failure  Probability 


A.  Localizer  Faulty  Signal  Probability 


1 . 

8cse 

LitDDM 

2. 

csesdm 

3. 

Pcserf 

4. 

PSEN 

5. 

PCL 

6. 

PFF 

2.023  X  10'12 
9.918  X  10"7 
1.095  X  10‘6 
8.753  X  10“8 
1.133  X  10‘6 
0 

3.308  X  10"6 


B.  Glideslope  Faulty  Signal 


1. 

P 

CSE 

LitDDM 

2. 

p 

CSE 

til:SDM 

3. 

PCSE 

citRF 

4. 

PSEN 

5. 

PCL 

5. 

PATM 

Probabil ity 

9.001  X  10-13 
7.548  X  10’7 
7.331  X  10~7 
8.676  X  10"8 
7.522  X  10'7 
0 

2.326  X  10"6 
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Table  5.2  Base  Case  Failure  Probability  (continued) 


C.  Localizer  Shutdown  Probability 


1. 

ps 

2. 

PAB 

3. 

PAC 

4. 

PsTByCSE 

5. 

PSTBysEN 

6. 

PsTBra 

7. 

PSTBYjp 

8. 

PSTBY 

9. 

PC0NV 

10. 

PCSE/ID 

11. 

PSEN 

12. 

PCL 

13. 

PFF 

1.711  X  ICf7 
4.988  X  10"13 
8.461  X  10'12 
1.305  X  10"9 

2.536  X  10-10 
6.391  X  10~10 
1.136  X  10"9 
5.071  X  10'9 
5.920  X  10‘10 
3.341  X  10"10 
1.289  X  10'10 
2.947  X  10~10 

4.536  X  10~10 
1.813  X  10~7 
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Table  5.2  Base  Case  Failure  Probability  (continued) 


D.  Glideslope  Shutdown  Probability 


1. 

ps 

: 

6.395  X 

00 

1 

o 

pH 

2. 

PAB 

: 

2.453  X 

10-14 

3. 

PAC 

: 

4.075  X 

10'12 

4. 

PsTBYCSE 

: 

2.167  X 

10~10 

5. 

PSTBVSEN 

: 

1.082  X 

10~10 

6. 

Pstbvcl 

• 

5.399  X 

10'11 

7. 

PSTBY 

: 

4.983  X 

Hf10 

8. 

PC0NV 

• 

1.306  X 

10-10 

9. 

PCSE 

: 

1.168  X 

10-10 

10. 

PSEN 

: 

6.445  X 

10'11 

11. 

PCL 

: 

1.233  X 

10-10 

12. 

PNF 

: 

1.052  X 

10'10 

6.538  X 
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Table  5.2  Base  Case  Failure  Probability  (continued) 

£.  Summary 

Faulty  Signal  Probability 

Localizer 
G1 ideslope 

Shutdown  Probability 

Local izer  1 *813  X  10 

Gl  ideslope  6.538  X  10 


3.308  X  10  u 
2.326  X  10"6 
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For  both  the  localizer  and  glideslope,  the  on-course  DDM  fault  probability  is 
several  orders  of  magnitude  smaller  than  the  other  non-zero  terms.  This  is 
the  result  of  the  added  redundancy  in  the  monitoring  represented  by  the  far- 
field  monitor  and  its  independent  processing  in  the  control  unit. 

Although  the  hazardous  signal  probabilities  are  not  specifically  listed  in 
Table  5.2,  they  are  the  same  as  the  probabilities  of  a  signal  with  faulty 
sensitivity.  A  hazardous  signal  can  result  from  a  faulty  on-course  ODM  or  a 
faulty  sensitivity,  and,  since  the  on-course  DDM  fault  probability  is  so  small, 
the  sum  of  these  two  terms  is  equal  to  the  faulty  sensitivity  probability. 

From  Table  5.2,  Sections  C  and  D,  it  can  be  seen  that  the  shutdown  probabil¬ 
ities  are  dominated  by  the  probability  of  a  single  failure  causing  a  shutdown 
(F<.).  This  is  to  be  expected  since  the  probability  of  multiple  failures  is 
the  product  of  the  individual  probabilities,  generally  resulting  in  a  low 
value. 

Table  5.3  contains  detailed  results  for  the  same  case  with  the  exception  that 
it  is  assumed  that  the  landings  would  not  be  allowed  with  a  monitor  mismatch. 
Since  the  remote  control  panel  indication  of  a  monitor  mismatch  is  the  light¬ 
ing  of  an  "abnormal"  indicator,  the  reliability  values  shown  in  Table  5.3  can 
be  achieved  if  I  IS  use  is  not  allowed  when  there  is  an  "abnormal"  indication. 

Table  5.3  can  be  compared  with  Table  5.2  to  show  the  improvement  in  relia¬ 
bility  over  the  base  case  made  by  not  allowing  landings  with  a  monitor  mismatch 
condition.  A  comparison  of  the  tables  indicate  that  the  faulty  signal  proba¬ 
bilities  are  significantly  reduced  by  preventing  landings  during  a  monitor 
mismatch.  However,  the  shutdown  probabilities  are  not  significantly  affected. 


fl 
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Table  5.3  Base  Case  Probabilities  With  Landings 
Not  Allowed  with  a  Monitor  Mismatch 


A.  Localizer  Faulty  Signal 


1. 

cseddm 

2. 

p 

CSE 

wtSDM 

3. 

p 

CSF 

otRF 

4. 

PSEN 

5. 

PCL 

6. 

PFF 

Probabil ity 

4.667  X  10'16 
3.082  X  IQ*8 
3.553  X  10‘8 
1.534  X  10"8 
3.551  X  10'8 
0 

1.172  X  10‘7 


Table  5.3  Base  Case  Probabilities  With  Landings  Not  Allowed 
with  a  Monitor  Mismatch  (Continued) 


C.  Localizer  Shutdown  Probability 


1. 

ps  : 

2. 

PAB  : 

3. 

PAC  : 

4. 

Pstbvcse: 

5. 

'>STB'W 

6. 

Pstbvcl  : 

7. 

PsTBVio  : 

8. 

PSTBY  : 

9. 

PCONV 

10. 

PCSE/ID  : 

11. 

PSEN 

12. 

PCL  : 

13. 

PFF  : 

1.711  X  10'7 
4.988  X  10'13 

8.461  X  10-12 
1.305  X  10"  9 
2.536  X  10'10 
6.391  X  10“10 
1.136  X  10"9 
5.071  X  10'9 
5.920  X  10"10 
1.657  X  10"14 
6.394  X  10'15 

1.461  X  10'14 

2.250  X  10'14 
1.801  X  10“7 
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Table  5.3  Base  Case  Probabilities  With  Landings  Not  Allowed 
with  a  Monitor  Mismatch  (Continued) 


Table  5.3  Base  Case  Probabilities  With  Landings  Not  Allowed 
with  a  Monitor  Mismatch  (Continued) 


E.  Summary 


Faulty  Signal  Probability 


Localizer 

1.172 

r- 

i 

O 

r—i 

X 

G1 ideslope 

7.788 

CO 

1 

o 

rH 

X 

Shutdown  Probability 

Localizer 

1.801  X  10"7 

G1 ideslope 

6.497  X  IO"8 
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PREVENTIVE  MAINTENANCE  CYCLE 


As  discussed  in  Section  4.4.1,  the  probability  of  a  faulty  or  hazardous  signal 
is  determined  by  the  frequency  of  checks  of  the  monitoring  and  transfer  oper¬ 
ation.  Figure  5.1  gives  the  probability  of  an  undetected  hazardous  signal  as 

a  function  of  the  maintenance  interval  between  such  checks.  Note  that  a 
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probability  of  hazardous  signal  of  0.5  X  10  may  be  achieved  by  a  maintenance 
interval  of  30.3  hours  if  landings  are  not  allowed  with  an  "abnormal"  indication 
(monitor  mismatch),  or  by  a  maintenance  interval  of  12.7  hours  if  landings  are 
allowed  with  an  "abnormal"  indication. 

5.  5  UNKNOWN  FACTORS 

5.h.1  rAR  FIELR  LOCALIZER  SIGNAL  DEGRADATION  DUE  TO  RUNWAY  DISTURBANCE 

The  probability  of  an  undetected  degradation  of  the  course  position  signal  at 
the  far  field  only  is  a  function  of  the  probability  of  external  runway  distur¬ 
bances.  Since  the  degraded  signal  may  be  hazardous,  it  is  desirable  to  eva I- 
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uate  its  probability  with  respect  to  the  proposed  integrity  level  of  0.5  X  10 
Specifically,  our  analysis  was  directed  toward  discovering  the  values  of  the 
probability  of  external  runway  disturbances  resulting  in  signal  degradation 
for  which  the  associated  hazardous  signal  probability  meets  the  proposed  i n- 
tegrity  level.  Since  the  probability  of  hazardous  signal  due  to  external  run¬ 
way  disturbances  is  only  one  component  of  the  total  hazardous  signal  probabil- 

_9 

ity,  it  was  provisionally  set  equal  to  0.1  X  10  .  We  then  solved  for  the 

probability  of  external  runway  disturbances  necessary  to  guarantee  that  value. 

The  probability  that  a  faulty  course  position  at  the  far  field  will  be  radiated 
during  the  70  second  delay  of  the  far  field  monitor  alarm  is  the  dominant  term 
in  the  calculation  of  the  hazardous  signal  probability  due  to  external  runway 
d i shurbanres .  This  term  is  zero  if  the  far  field  monitor  is  monitored  with  no 
delay  at  the  remote  contro I  panel.  With  remote  control  monitoring  of  the  far 
field  monitor,  the  values  for  the  probability  of  external  runway  disturbances 
necessary  for  the  desired  signal  integrity  are  as  follows: 
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Hazardous  Signal  Probability 


i 


Maintenance  Interval  (hours) 


Landings  not  allowed  with  monitor  mismatch 
Landings  allowed  with  monitor  mismatch 


Figure  5.1 .  Localizer  or  Glideslope  Signal  Integrity  as  a  Function 
of  Preventive  Maintenance  Interval 
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If  landings  are  allowed  with  "A8N"  light  on,  a  probability  of  external  runway 

—8 

disturbances  less  than  8  X  10  gives  a  probability  of  hazardous  signal  at  the 
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far  field  of  less  than  0.1  X  10  .  If  landings  are  not  allowed  with  "ABN" 

light  on,  the  probability  of  hazardous  signal  at  the  far  field  is  less  than 
3.1  X  10  independent  of  the  probability  of  external  runway  disturbances. 

Without  remote  control  monitoring,  the  probability  of  external  runway  distur¬ 
bances  must  be  less  than  4.3  X  10  "  in  order  for  the  corresponding  hazardous 
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signal  probability  to  be  less  than  0.1  X  10 

The  threshold  values  given  are  to  be  compared  with  estimates  of  the  probability 
of  signal  degradation  due  to  external  runway  disturbances  derived  from  other 
sources;  such  as,  for  example,  site-specific  experience,  in  order  to  determine 
if  the  probability  of  the  radiation  of  a  faulty  course  position  at  the  far 
field  is  within  the  proposed  limits. 

See  Appendix  C,  Page  C-15  for  the  equations  used  to  calculate  the  probabilities 
discussed  in  this  section. 

5.5.2  GLIDES  LOPE  ANTENNA  MISALIGNMENT  DETECTOR 

The  misalignment  detector  detects  a  permanent  tilt  of  the  antenna  tower  and 
produces  an  abnormal  indication,  in  effect  providing  a  warning  before  a  tilt 
is  serious  enough  to  cause  a  shutdown  due  to  near  field  monitor  action.  Further, 
a  tower  misalignment  could  have  effects  on  clearance  and  sensi+ivity  undetected 
by  the  near  field  monitor.  Since  the  degree  of  tilt  detected  by  the  misalign¬ 
ment  detector  would  affect  the  glldeslope  path  near  the  runway  threshold  if  the 
tilt  was  towards  or  away  from  the  runway,  this  provides  an  additional  argument 
for  downgrading  the  system  when  an  abnormal  indication  at  the  remote  control 
panel  occurs.  (In  the  Mark  III  System,  a  misalignment  detector  alarm  causes 
shutdown) . 

The  probability  of  the  radiation  of  a  faulty  signal,  due  to  antenna  tower  mis¬ 
alignment  is  a  function  of  the  probability  that  the  glideslope  antenna  tower 
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will  become  misaligned  (within  the  preventive  maintenance  interval),  which  is 

unpredictable,  being  a  function  of  external  and  uncontrol  lab le  forces.  Since 

the  resulting  signal  may  be  hazardous,  it  is  desirable  to  evaluate  its  prob- 

-9 

ability  with  respect  to  the  proposed  integrity  level  of  0.5  X  10  .  Specific¬ 

ally,  our  analysis  was  directed  toward  discovering  the  values  of  the  probabil¬ 
ity  of  antenna  misalignment  for  which  the  associated  hazardous  signal  prob¬ 
ability  meets  the  proposed  integrity  level.  Since  the  probability  of  hazardous 

signal  due  to  antenna  misalignment  is  only  one  component  of  the  total  hazardous 
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signal  probability,  it  was  prov i si ona I  I y  set  equal  to  0. 1  X  10  .  We  then 
solved  for  the  probability  of  antenna  misalignment  necessary  to  guarantee  that 
va I ue. 

The  probability  that  a  hazardous  signal  due  to  antenna  misalignment  will  be 
radiated  within  the  2.25  minute  (135  second)  delay  of  the  antenna  misalignment 
alarm  is  the  dominant  term  in  the  calculation  of  the  hazardous  signal  probabil¬ 
ity  due  to  misalignment.  This  term  is  zero  if  The  m i sa I i gnment  detector  is 
monitored  with  no  delay  at  the  remote  control  panel  (although  this  option  is 
not  under  cons ideration ) . 

Without  remote  control  monitoring,  the  probability  of  tower  misalignment  must 

be  less  than  4.5  X  10  7  in  order  for  the  hazardous  signal  probability  due  to 
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misalignment  to  be  less  than  0.1  X  10  (assuming  a  168  hour  maintenance  i nter- 
va I ) .  With  remote  control  monitoring,  and  not  allowing  landings  with  an  ab¬ 
normal  indication  present,  the  tower  misalignment  probability  must  only  be  less 

than  1.8  X  10  .  If  landings  are  allowed  with  an  abnormal  indication,  the 

-9 

tower  misalignment  probability  must  simply  be  less  than  0.1  X  10  (essentially 
no  mon i tor  in g) . 

The  threshold  values  given  are  to  be  compared  with  estimates  of  tower  misalign¬ 
ment  probability  derived  from  other  sources;  such  as,  for  example,  site-specific 
experience,  in  order  to  determine  if  the  probability  of  a  hazardous  signal  due 
to  tower  misalignment  is  within  the  proposed  limits. 

See  Appendix  0,  Page  D— 1 5  for  the  equations  used  to  calculate  the  probabilities 
discussed  in  this  section. 
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5.6 


REVISED  MARK  Ml  RELIABILITY  RESULTS 


Table  5.4  provides  the  results  from  the  FMECA  of  the  Mark  III  System  (Refer¬ 
ence  3)  and  the  same  results  modified  to  conform  to  the  methodology  used  in 
this  study,  for  purposes  of  comparison  of  the  reliability  of  the  Mark  III  and 
the  GRN-27.  The  modi f icatlons  are  listed  below: 

•  Conditional  factors  were  added  to  the  faulty  and  hazardous  signal 
equat i ons . 


•  Transmitter  failure  rates  in  the  sensitivity  terms  were  replaced  by 
failure  rates  for  transmission  of  faulty  SBO  only. 

•  Changes  were  made  to  reflect  assumptions  made  for  the  GRN-27  base 
case: 

1.  A  maintenance  interval  of  168  hours  was  assumed,  unless  other¬ 
wise  noted; 

2.  critical  landing  times  assumed  were  30  seconds  for  localizer, 

15  seconds  for  glides  lope; 

3.  arbitrary  factors  (localizer  signal  degradation  due  to  external 
runway  disturbances,  glideslope  antenna  tower  misalignment)  were 
set  to  zero. 

•  Hazardous  signal  probability  is  the  sum  of  the  DDM  and  sensitivity 
terms  only. 
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Table  5.4  Revised  Mark  III  Reliability  Results 


Faulty  Signal  Probability 

Local i zer 
G1 i deslope 


Hazardous  Signal  Probability 

Local i zer 
G1 ideslope 


Shutdown  Probability 

Localizer 
G1 ideslope 


Results  from 
Mark  III  FMECA 
(Reference  3) 


Mark  III  Results 
Revised  to  Conform 
to  Methodology  of 
GRN-27  Study* 


9.334  X  10 
9.089  X  10' 


-9 


2.296  X  10 
1.495  X  10 


-12 

■12 


2.141  X  10 
1.518  X  10 


-10 

10 


6.791  X  10 
6.798  X  10 


-14 

-14 


5.617  X  10' 
2.600  X  10 


-8 


1.655  X  10 
7.706  X  10 


-7 

-8 


♦Conditional  factors  added  to  faulty  and  hazardous  signal  equations; 
hazardous  signal  probability  is  sum  of  hazardous  DDM  and  sensitivity 
terms  given  in  Mark  III  study,  with  transmitter  failure  rate  in 
sensitivity  term  replaced  by  failure  rate  for  transmission  of  faulty 
SB0  only;  maintenance  interval  and  critical  landing  times  are  same 
as  for  GRN-27  base  case;  arbitrary  factors  (runway  disturbance,  mis¬ 
alignment,  antenna  tower)  set  to  zero. 
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6.0 


FIELD  EXPERIENCE 


6.1  FACILITY  MAINTENANCE  LOGS 

Table  6-1  summarizes  GRN-27  unscheduled  outages  for  the  calendar  year  1981,  as 
recorded  in  the  maintenance  logs  from  69  facilities.  Causes  of  outages  are 
seldom  categorically  sta+ed  in  the  logs,  and  most  often  must  be  deduced  from 
the  repair/maintenance  aci+vity  recorded  as  the  response  to  the  outage.  When 
the  equipment  repaired  cannot  have  caused  shutdown  by  itself  (for  example,  one 
of  the  two  transmitting  units),  the  outage  has  been  put  In  the  same  class  as 
those  for  which  the  maintenance  technicians  explicitly  noted  "no  cause  found". 

Figure  6-1  below  is  a  graphic  summary  of  all  outages,  derived  from  the  facility 
maintenance  logs. 


Figure  6-1 

GRN-27  Unscheduled  Outages  (1981) 


Outages  due  to 
Power  Supply  Sys 


Rain,  snow  or  lightning 
Outage,  cause  unknown 


Failure  to  transfer  0.3% 
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Not  all  of  t f outages  recorded  were  the  result  of  automatic  shutdowns,  or 
failure  whir  r-  u I i  in  a  loss  of  signal  (such  as  power  failures).  Some 
outages  r.  gro-.en  t  failure'-,  to  bring  up  the  equipment  when  switching  from  one 
runway  f  ■  another.  Others  represent  instances  of  the  system  being  taken  out 
of  .ervici'  1  or  rejair,  or  to  investigate  an  "abnormal"  indication. 

0  ,  i  rvo'.vin  ■>,  repair  actions  on  the  transmitting  units  only  were  most 

I  i  k  t.  *  I  V  *  -■  i  tier  shutdowns  of  the  standby  transmitter,  affer  operation  for  some 
period  on  standby,  or  a  result  of  repair  action  taken  to  correct  some  irreg- 
sljr  ity  •  >r  abnormal  indication.  In  either  case,  there  would  have  been  an 
"  i'n  :  I"  '  n  *  i  r  ;  *  i  on,  or  some  cither  failure  indication,  for  some  period  of 
* imo  before  -.hut  {own,  unless  the  standby  transmitter  was  already  faulty  be- 
♦i-r>>  a  tr  ;■  sfer  >c  arret,  can'  ing  a  shutdown  as  soon  as  the  main  transmitter 
*  :  i  .o  •  a  t  ‘  >•  in  fer  t  ,  f.mdbv  was  male.  None  of  these  cases  could  be  dis- 
r  I  v:u  •  n.'d  from  <>-,  ft  other  on  the  basis  of  the  information  in  the  logs,  nor 
;  i  1  :  ••>t..rmi  n.- 1  with  <  onf  i  -a. -nee  that  the  transmitter  subassembly  re- 

:  )*■''*■  ,  t-.e  :  i  r  “ct  a  :  ,e  of  tne  outage.  Therefore,  all  such  cases  were 

in  I  ;  v>d  rn  ;  ,  *  ages  w?  tb  unknown  causes. 

•).  0  AP.I"  -.  ITH  THE  FAIL'JRE  ANALYSIS 


'  f  ill  n'.t.j  ■ "  r,  .♦-••r  tnan  tho-.e  determined  to  be  non-shutdown  outages  (Class 
VIM  I"  'a‘  ■ -')  ire  roi.me  I  to  be  shutdowns,  we  have  the  following  actual 

wor  t  C'  .bijf  town  .nrohabi  I  i  ties: 

Lo  :  *  i 


nr  ibab  i  1 

i  ty 

of 

shutdown 

I  n 
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second 

i nterva 1 : 

r.is 
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in"6 

Probrib  i  1 

ity 

of 

shutdown 

i  n 
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13 

second 

i nterva 1 : 
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X 

10-6 

ten  1  ope 
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ity 

of 

shutdown 

i  n 

a 

15 

second 

I nterva 1 : 

8.75 

X 

10' 

The  probabilities  are  derived  by  dividing  the  respective  number  of  outages  for 
the  localizer  or  glideslope  by  the  number  of  30  or  15  second  intervals  in  the 
585,940  total  uptime  hours  for  each  type  of  facility  in  the  maintenance  logs 
ana  I yzed. 

More  realistic  probabilities  result  from  counting  only  those  outages  for  which 
repair  or  adjustment  of  identifiable  components  is  recorded  in  the  logs  (I,  II, 
III  and  VI  I  in  Table  6-1): 

Loca I i zer 

Probability  of  shutdown  i n  a  30  second  interval:  8.68  X  10  7 

_7 

Probability  of  shutdown  in  a  15  second  interval:  4.34  X  10 

Gl ides  lope 

Probability  of  shutdown  in  a  15  second  interval:  5.90  X  10  7 

For  purposes  of  comparison  with  the  theoretical  analysis,  only  identifiable 
failures  that  cannot  be  corrected  by  adjustment,  but  only  by  repairing  or  re¬ 
placing  the  failed  part  (I  and  II  in  Table  6-1),  should  be  included  in  the 
probability  calculation.  This  procedure  gives  the  following  results; 

Loca I i zer 

Probability  of  shutdown  in  a  30  second  interval:  4.41  X  10~7 
Probability  of  shutdown  in  a  15  second  interval:  2.20  X  10  7 

Gl I  deslope 

Probability  of  shutdown  in  a  15  second  interval:  4.69  X  10-7 
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For  comparison,  the  corresponding  theoretically  calculated  probabilities 
( from  Tab le  5.1)  are: 

Loca I i zer 

Probability  of  shutdown  in  a  50  second  interval:  1.81  X  10  7 
Probability  of  shutdown  in  a  15  second  interval:  9.07  X  10 

G I i des  lope 

—8 

Probability  of  shutdown  in  a  15  second  interval:  6.54  X  10 

A  168  hour  maintenance  i nterva I  is  assumed.  Also,  the  calculated  probability 
for  the  glides  lope  is  for  the  two  frequency  glides  lope  (worst  case). 

Actual  experience,  as  represented  in  the  logs,  identifies  the  peak  detectors 

as  rousing  outages  with  a  relatively  high  frequency.  The  total  calculated 

peak  detector  failure  rate  contributing  to  the  probability  of  shutdown  is 

3.52  X  10  But  actual  experience  gives  a  much  higher  failure  rate,  with 
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56  failures  in  1,266,780  system  hours,  or  a  failure  rate  of  2.98  X  10  fail¬ 
ures  ner  hour.  This  is  a  confirmation  of  a  known  problem  area,  for  which  pro¬ 
posed  improvements  have  been  discussed  In  Section  7. 

The  localizer  misalignment  detectors  were  involved  in  several  outages  other 
than  those  attributed  to  misalignment  detector  component  failures.  Two  of 
the  three  outages  due  to  corrosion  were  due  to  corroded  wires  on  the  tilt 
detector s.  Also,  both  outages  listed  as  due  to  rodent  activity  were  the  re¬ 
sult  of  rats  having  gnawed  the  insulation  off  wires  connected  to  the  tilt 
detector.  Further,  only  two  of  the  outages  listed  under  "Antenna  Misalign¬ 
ment"  were  due  to  permanent  antenna  misalignment.  Two  were  attributable  to 
storm,  and  one  to  aircraft  departures.  (The  outage  listed  under  "earthquake" 
was  also  caused  by  MAD  alarms.)  And,  finally,  three  outages  listed  under 
unknown  causes  were  due  to  Inexplicable  MAD  alarms,  with  no  fault  found  In 
the  antennas  or  detectors. 
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The  actual  reliability  of  the  monitor  alarm  processing  circuitry  in  the  control 
unit  is  of  interest  in  assessing  the  level  of  confidence  in  the  theoretically 
calculated  probability  of  a  hazardous  signal.  No  outage  was  explicitly  blamed 
on  a  failure  in  the  alarm  processing  circuitry,  and  only  once  in  the  1,206,280 
uptime  hours  was  the  alarm  and  transfer  card  in  the  control  unit  replaced 
(during  troubleshooting)  in  connection  wtth  an  unscheduled  outage.  This  cor¬ 
responds  to  a  failure  rate  of  8.25  X  10  7,  which  agrees  well  with  calculated 
failure  rates  Involving  this  subassembly.  Although  the  monitors  required  more 
frequent  repair,  their  contribution  to  the  hazardous  signal  probability  is 
effectively  eliminated  by  not  allowing  landings  with  a  monitor  mismatch  con¬ 
dition. 
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Table  6-1 


GRN-27  Unscheduled  Out? 


t 


i 


J 


i 

i 

i 

1 

i 

i 

i 

I 

( 

I 


_ Numbei 

Type  of  Outage _  Loca  I !  zer 

I.  Component  failures  causing 
shutdown 


Peak  Detector  I  f> 

Recombining  Circuits  4 

Changeover  and  Test  4 

Distribution  Circuits  2 

Misalignment  Detector  (does  3 

not  include  corrosion- 
re  lated  fai I ures ) 

Far  Field  Moni tor  2 

Proximity  Probe  0 

Antenna  Coup ler  0 

Monitor  Interface  0 

Connector  on  Monitor  Feed  0 

Cab  I  e 

All  single  component  failures  31 

II.  Shutdown  resulting  from  faulty  1 
signal,  followed  by  failure 
to  effect  changeover 


III.  Shutdown,  corrected  by  adjust¬ 
ment  of  the  indicated  subassembly 


Peak  Detector  2 

Transmitters  6 

Monitors  3 

Loose  Hardware  6 

Near  Field  Monitor  N/A 

Far  Field  Monitor  1 

Distribution  Circuits  1 

Unknown  0 

All  shutdowns  corrected  by  19 

adjustment 
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(1981) 


of  Ou+aqes 

Percentage  of 
a  1 1  outaqes 

G 1 i des 1  ope 

To  ta  1 

21 

36 

11.6? 

3 

7 

2.3 

2 

6 

1  .9 

3 

5 

1.6 

N/A 

3 

1 .0 

N/A 

2 

0.6 

1 

1 

0.3 

1 

1 

0.3 

1 

1 

0.3 

1 

1 

0.3 

33 

64 

20.6$ 

0 

1 

0.3$ 

13 

15 

4.8$ 

9 

15 

4.8 

10 

13 

4.2 

3 

9 

2.9 

2 

2 

0.6 

N/A 

1 

0.3 

0 

1 

0.3 

2 

2 

0.6 

39 


58 


18. 7% 


Table  6-1 

GRN-27  Unscheduled  Outages  (1981)  (Continued 


Number  of  Outages 

Type  of  Outaae 

Localizer  Glides  lope  Total 

IV.  Shutdown  due  to  snow,  rain 
or  lightning 


Snow 

Rain 

Lightning 

Unspecified  weather-related 
outage 

6 

2 

1 

0 

3 

1 

0 

2 

9 

3 

1 

2 

Subtota 1 

q 

6 

15 

Percentage  of 
a  I  I  Outages 


2.0* 
1 .0 
0.3 
0.6 


4.8* 


V.  Shutdown  not  caused  by  I LS 
equi pment 

Commerc I  a  I  I ! nes 
Antenna  Misalignment  (de¬ 
tected  by  misalignment 
detector ) 

Corros i on 
Improper  Operation 
External  Runway  Activity 
Faulty  Shelter  Heater  or 
Air  Conditioner 
Rodent  Activity 
Earthquake 


2  16  5.2* 

0  5  1.6 


0  3  1-0 

2  3  1.0 

3  3  1.0 

1  3  1.0 

0  2  0.6 

0  1  °*5 


Subtota I 


27 


8  35  11.6* 


VI.  Shutdown,  cause  unknown 


43 


21  64  20.6* 
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Table  6-1 


GRN-27  Unscheduled  Outages  (1981)  (Continued) 


Number  of  Outages 


Type  of  Outage 


Vll .  Outages  due  to  power  supply 
system 

Blown  fuses  or  tripped 
circuit  breakers 
Loss  of  prime  power,  with 
ensuing  failure  in  back-up 

Subtota I 


Non-shutdown  outages 

System  taken  out 
for  repai r 
Fai I ure  to  come  up 

Subtota I 


IX.  Outage,  unknown  cause  (un¬ 
clear  if  outage  was  a 
shutdown ) 


Loca I i zer  G I i des lope  Total 


Percentage  of 
a  1 1  Outages 


5 

9 

14 

4.5* 

5 

2 

7 

2.3 

10 

11 

21 

6.8* 

12 

6 

18 

5.8* 

15 

3 

18 

5.8 

27 

9 

36 

11.6* 

11 

2 

13 

4.2  * 

Tota  I 


178 


132 


310 
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7.0 


POSSIBLE  EQUIPMENT  MODIFICATIONS 


7. I  TEST  SWITCH 

Each  monitor  channel  In  the  GRN-27  contains  a  switch  which  can  be  used  to 
test  parts  of  the  system.  When  thrown,  the  switch  activates  a  relay,  thereby 
introducing  a  faulty  signal  into  the  monitor  channel.  Activating  the  switches 
on  any  pair  of  channels,  both  of  which  monitor  the  same  parameter,  should  re¬ 
sult  in  a  transfer  from  the  main  to  the  standby  transmitter.  A  second  acti¬ 
vation  of  the  switches  should  result  in  a  system  shutdown.  Using  these 
switches  to  test  for  a  transfer  of  transmitters  is  a  simple  method  of  verify¬ 
ing  that  critical  components  in  the  control  unit  are  operating.  The  test  also 
verifies  the  operation  of  the  monitor  channels.  However,  because  of  monitor 
channel  redundancy,  failures  in  the  control  unit  are  far  more  like  to  produce 
a  hazard. 

To  achieve  the  high  levels  of  reliability  required  for  Category  III  equipment, 
it  would  be  necessary  to  test  the  GRN-27  more  frequently  than  currently  required. 
It  would  be  sufficient  to  use  the  monitor  channel  switches  to  perform  this  test 
since  possible  hidden  failures  in  the  control  unit  are  the  primary  cause  of  the 
relative  unreliability  of  the  system.  One  possible  approach  to  performing 
these  tests  would  be  to  install  a  switch  in  the  control  tower  or  tower  equip¬ 
ment  room  which  could  be  used  to  test  the  system  remotely.  After  the  remote 
switch  is  activated,  the  tester  would  observe  on  the  remote  indicator  panel 
that  a  transfer  from  main  to  standby  has  taken  place  (indicator  lights  and  aural 
alarm  indicate  the  change  of  status).  The  system  would  then  be  restored  using 
the  cycle  switch  on  the  remote  control  panel. 

One  possible  implementation  of  the  remote  test  switch  would  minimize  the  atten¬ 
tion  required  of  the  tester  and  minimize  the  duration  of  the  signal  interruption. 
This  system  would  be  semi-automatic  in  that  an  operator  would  simply  press  a 
momentary  contact  switch.  The  system  would  then  automatically  transmit  a  sig¬ 
nal  to  the  equipment  shelter  which  activates  the  test  circuitry  for  a  precise 
interval.  The  interval  would  be  longer  than  the  delay  time  on  the  alarm  and 
transfer  circuit  card  (used  to  prevent  transients  from  effecting  a  transfer). 
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but  sufficiently  short  such  that  the  transfer  is  not  immediately  followed  by 
a  shutdown.  The  semi-automatic  system  would,  after  a  short  delay,  transmit 
a  pulse  which  would  activate  the  Monitors  Locally  Bypassed  (MLB)  signal  In 
fhe  control  unit,  thereby  restoring  the  main  transmitter.  A  cycle  pulse  could 
be  used  to  restore  the  system  but  the  cycle  pulse  would  first  shut  the  system 
off,  after  which  the  system  would  remain  off  for  twenty  seconds  before  the 
next  cycle  pulse  could  restore  the  system. 

7.2  TOWER  MONITORING  OF  THE  FAR  FIELD  MONITOR 


The  far  fieid  monitor  does  not  issue  an  alarm  until  a  faulty  signal  has  been 
received  contiguously  for  a  delay  interval  of  between  70  and  120  seconds. 
Therefore,  it  would  be  useful  to  provide  the  controller  with  some  indication 
of  a  faulty  signal  at  the  far  field  monitor  during  the  delay  Interval.  A 
controller  could  discriminate  between  faulty  signals  caused  by  temporary 
obstructions,  such  as  overflights  or  taxiway  activity,  and  those  with  no 
apparent  cause,  such  as  a  system  fault.  Such  a  remote  display  system  has  been 
built  at  rhe  NAVA  I n$/C0MM  Engineering  Branch  of  the  FAA  Aeronautical  Center, 
and  is  currently  being  tested.  This  type  of  display  unit  will  have  only  a 
negligible  effect  on  the  probability  of  radiation  of  a  faulty  signal  due  to 
a  system  failure.  However,  it  would  reduce  the  probability  that  a  landing 
would  occur  while  the  signal  is  distorted  by  an  obstruction.  The  specific  Im¬ 
pact  is  impossible  to  determine  without  data  on  the  probability  and  duration 
of  all  +ypes  of  signals  reflecting  obstructions.  Example  calculations  of  the 
display  unit  impact  are  shown  in  Section  5.5.1. 

I.7)  IMPROVED  TRANSMITTER 


The  0RN-27  transmitters  were  designed  in  the  late  1960's  at  which  time  there 
was  a  limited  quantity  and  quality  of  solid  state  RF  devices.  Also,  D.C.  to 
R.F.  conversion  efficiencies  obtainable  with  these  early  devices  were  relatively 
low.  Considering  these  constraints,  the  reliability  and  output  power  levels  of 
the  GRN-27  were  respectable.  However,  significant  Improvements  can  be  realized 
with  the  use  of  current  technology  solid  state  RF  power  devices. 
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Southwestern  Communications,  Inc.  has  designed  and  tested  improved  transmitter 
power  amplifiers  for  both  the  localizer  and  glideslope  systems.  The  improved 
amplifiers  have  been  designed  as  plug-in  replacements  for  the  original  equip¬ 
ment  A4  circuit  boards.  The  advantages  of  using  the  improved  amplifier  in  the 
loca I i zer  are: 

•  Higher  reliability  -  the  computed  failure  rate  for  the  improved  circuit 
is  0.14  failures  per  million  hours,  compared  to  1.38  for  the  original 
equ i pment . 

•  No  frequency  drift  occurs  in  the  improved  circuit  whereas  the  original 
equipment  requires  periodic  readjustment  after  turn-on. 

•  Shorter  time  required  for  transmitter  stabilization. 

•  The  same  power  amplifier  is  used  in  the  course  and  clearance  trans¬ 
mitters.  However,  the  lowest  power  level  to  which  the  original  ampli¬ 
fier  can  be  adjusted  is  often  too  high  for  the  clearance  transmitter, 
which  must  meet  a  10  db  course  to  clearance  oower  ratio  criterion. 

The  improved  circuit  can  be  adjusted  to  sufficiently  low  levels  to 
meet  the  criterion. 

Similarly,  the  replacement  amplifier  circuit  for  the  glideslope  transmitter  has 
the  following  advantages: 

•  Higher  reliability  -  the  computed  failure  rate  for  the  improved  cir¬ 
cuit  is  0.44  failures  per  million  hours  compared  to  4.11  for  the 
original  equipment. 

•  The  original  equipment  amplifier  contains  components  which  will  soon 
become  unavailable  (2N5016  transistor). 

•  The  improved  circuit  can  produce  15  watts  of  power  as  opposed  to 
10  watts  for  the  original  equipment. 
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•  Lower  power  levels  are  possible  with  the  improved  amplifier  making  it 
possible  to  meet  the  10  db  course  to  clearance  power  ratio  crilerion. 

Although  the  new  amplifiers  would  not  have  any  significant  impact  on  the  prob¬ 
ability  of  a  faulty  signal  or  system  shutdown,  the  number  of  transfers  from 
main  to  standby  resulting  from  a  fault  in  a  transmitter  will  be  reduced.  Also 
less  maintenance  will  be  required  to  keep  the  transmitters  operating  and 
properly  adjusted. 

7.4  IMPROVED  PEAK  DETECTORS 

As  was  discussed  in  Section  A,  the  peak  detectors  in  both  the  localizer  and 
glides  lone  systems  are  prone  to  failures  which  result  in  shutdown.  These 
fai  lures  are,  in  part,  the  result  of  the  approximately  160°F  ambient  environ¬ 
ment  maintained  by  a  ‘ eVer  within  each  peak  detector.  Also,  each  peak  detec¬ 
tor  contains  attenuator  switches  which  are  prone  to  failure.  Clearly,  more 
reliable  peak  detectors  should  be  installed  in  the  GRN-27  systems. 

Southwestern  Communications,  Inc.  is  currently  testing  an  improved  peak  detec¬ 
tor  design.  These  improved  peak  detectors  do  not  contain  attenuator  switches, 
and  are  operated  in  an  environment  maintained  at  120°F.  Although  detailed  de¬ 
sign  data  have  not  been  made  available  for  a  reliability  analysis,  the  Improved 
design  should  result  i n  much  impro  ed  reliability. 

7.5  LOCALIZER  MISALIGNMENT  DETECTORS 


As  described  in  Section  6.?,  the  localizer  misalignment  detectors  are  prone  to 
corrosion  and  have  a  high  number  of  outages  in  proportion  to  the  number  of 
actual  misalignments  of  the  antennas.  Improvements  in  the  detector  or  removal 
to  correct  or  avoid  these  problems  would  reduce  the  number  of  unscheduled  out¬ 
ages.  The  course  antenna  misalignment  detector  may  be  considered  to  serve  as 
a  redundant  monitor  to  the  far  field  course  alignment  monitoring  and  consequent 
ly  its  removal  would  have  no  serious  impact  on  the  system  hazardous  radiation 
probab i li ty. 
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IMPROVED  I NTEGRATEO  CIRCUITS 


Virtually  all  of  the  processing  in  the  GRN-27  control  unit  is  performed  with 

NAND  gates.  A  hidden  failure  in  any  one  of  a  few  critical  gates  could  prevent 

a  transfer  to  standby  upon  detection  of  a  faulty  signal  by  the  monitors.  The 

probability  of  such  an  occurrence  would  be  reduced  by  the  use  of  higher  quality 

gates.  Specifically,  using  gates  of  quality  level  B  (as  defined  in  Ref.  4, 
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Pg.  2. 1.5-1)  would  result  in  hazardous  signal  probabilities  of  0.158  X  10 
for  the  localizer  or  glides  lope,  assumming  a  one-week  interval  between  system 
checks  and  assuming  that  landings  would  not  be  allowed  with  an  abnormal  indi¬ 
cation.  However,  the  gates  in  the  GRN-27  are  non-standard  and  not  available 
in  a  higher  quality  version.  Higher  quality  gates  could  be  custom  designed 
and  manufactured  but  the  cost  would  be  prohibitive. 

7.7  FIELD  MONITORING  OF  COURSE  WIDTH 

As  discussed  in  Section  4,  a  hazardous  signal  is  the  result  of  a  faulty  on- 
course  DDM  or  course  width.  A  faulty  on-course  DDM  is  much  less  probable  than 
a  faulty  course  width  because  the  on-course  DDM  is  monitored  in  the  field  (far 
field  for  localizer,  near  *ield  for  glideslope)  as  well  as  bv  integral  monitors, 
while  the  course  width  is  monitored  only  by  integral  monitors.  Therefore,  the 
probability  of  hazardous  signal  is  equal  to  the  probability  of  a  signal  with 
faulty  course  width.  If  the  course  width  were  monitored  in  the  field,  the 
probability  of  a  faulty  course  width  would  be  as  low  as  the  faulty  DDM  prob- 
abi I i ty. 

Monitoring  the  l^'alizer  course  width  in  the  field  would  require  placing  an 
antenna  to  the  side  of  the  course  centerline,  near  the  far  field  monitor  sys¬ 
tem.  i"or  the  glideslope,  an  antenna  would  have  to  be  placed  above  or  below 
the  near  field  monitor  antenna.  Also  additional  circuitry  would  have  to  be 
added  to  process  the  signals  from  the  new  antennas.  Such  monitoring  is  used 
on  I LS  units  in  the  United  Kingdom.  However,  the  implementation  of  this  type 
of  monitoring  would  be  expensive. 
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CONCLUSIONS  AND  RECOMMENDATIONS 


As  Table  5-1  shows,  the  proposed  ICAO  hazardous  signal  probability  limit  ex- 

-9 

pected  to  be  recommended  for  Reliability  Level  3  and  4  equipment  (0.5  X  iO  ) 
r H  bo  met  by  the  GRN-27  if  the  following  changes  are  adopted: 

1.  The  transfer  capability  of  the  system  is  tested  at  least  once  every 
24  hours,  and 

2.  The  category  of  operation  is  downgraded  with  an  abnormal  indication 
on  the  remote  indicator  panel. 

It  is  recommended  that  the  daily  test  be  performed  using  a  remote,  semi-auto¬ 
matic  test  circuit  described  in  Section  7.1. 

The  GRN-27  meets  all  ICAO  proposed  loss  of  signal  probability  limits  as 
currently  configured  and  operated. 

With  the  GRN-27  operating  on  the  standby  transmitter  (that  is,  as  a  single 
transmitter  system)  the  proposed  Level  4  loss  of  signal  probability  can  still 
be  met,  although  the  single  transmitter  loss  of  signal  probability  is  approx¬ 
imately  five  tines  that  of  the  system  with  both  transmitters  available.  The 
hazardous  signal  probability  is  the  same  whether  the  system  is  operating  with 
a  standby  transmitter  or  not. 

The  maintenance  logs  are  generally  consistent  with  the  theoretical  calculations. 
The  largest  discrepancy  was  in  the  large  number  of  outages  attributed  to  the 
peak  detectors.  Replacing  the  existing  peak  detectors  with  an  improved  design, 
as  discussed  in  Section  7,  could  result  in  a  significant  reduction  in  unsched¬ 
uled  outages.  Further  reduction  in  the  number  of  outages  could  be  made  by 
correcting  the  transmitter  and  localizer  misalignment  detector  problems  noted 
in  Section  7.  These  changes  will  result  in  a  decreased  shutdown  probability, 
but  will  not  appreciably  affect  the  hazardous  signal  probability. 
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APPENDIX  A 
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x  . 


LOCALIZER  SUBASSEMBLY  FAILURE  MODES  AND  RATES 


NOTE:  In  the  failure  analysis  tables  a  single  asterisk  super* 
script  {^|J  )  indicates  that  the  failure  rate  for  that  failure 
mode  is  different  from  the  corresponding  value  for  the  CAT.  Ill 
system  as  given  in  Ref.  3.  A  double  asterisk  superscript  (^jj  ) 
indicates  a  completely  new  failure  mode.  All  other  failure  rates 
are  from  Ref.  3. 


TABLE  A,  Localizer  Failure  Analysis 
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Identification 


Item 

Name 


Control  Unit 


I.D. 

No. 


01 


Function 


The  control  unit  pro¬ 
cesses  alarms  received 
from  the  monitor  chan¬ 
nels,  providing  signals 
to  transfer  main  to 
standby,  to  shut  down 
both  transmitters,  or 
to  indicate  a  monitor 
mismatch.  In  addition, 
the  control  unit  gene¬ 
rates  inhibit  signals, 
displays  both  locally 
and  remotely  transmit¬ 
ter  status,  and  display^ 
various  power/tempera- 
ture  alarm  conditions 
for  both  the  main  shel¬ 
ter  and  far  field  moni¬ 
tor.  Operational  fea¬ 
tures,  such  as  bypass 
of  monitors,  main  unit 
select,  memorization  of 
alarms  are  also 
associated  with  the 
control  unit. 


Failure 
Mode 


Generation 
of  an  er¬ 
roneous 
transfer 
signal . 


Generation 
of  an 
erroneous 
shutdown 
signal  due 
to  alarm 
processing 
circuitry. 


Inability 
to  process 
a  transfer 
signal . 


Inability 
to  process 
a  shutdown 
signal . 


Inability 
to  process 
any  or  all 
power/en¬ 
vironmental 
alarms. 


Failure 

Effect 


Causes  a  transfer! 
to  standby. 


Causes  immediate 
system  shutdowr 


Monitoring  of 
the  Integral 
course,  sensiti¬ 
vity,  I.D.,  and/ 
or  clearance  is 
virtually  ren¬ 
dered  useless. 


Failure 

Rate 

(AxlO6) 


3.18 

*Lu 

1.829) 


2.982 


a: 


IB 


Results  in  a 
loss  of  far 
field  monitoring 
capabil  ity. 


Loss  of  remote 
recognition  of 
respective 
alarm  conditions 


2.870 

'W 

1.140) 

(A*  . 

ID2 

0.913) 

(A*  , 

103 

1.730) 


Remarks 


is  the 

S1A1  failure  rate 

for  parts  allow¬ 
ing  a  spontaneous 
transfer  to  stand¬ 
by  transmitter. 

is  the 

failure  rate 
for  parts  which 
can  fail  such  that 
a  transfer  is  made 
and  a  persisting 
transfer  signal 
will  cause  shut¬ 
down. 


A 


1A2 


1.143 


1.143 


a; 


\*o 

\* 


1J 


E) 


A  is  the  failure 
1  rate  for  parts 
allowing  faulty  sig¬ 
nal  to  persist. 

\D2  is  the  part  of 

including  only 
ID1  failures  which 
would  not  result  in 
an  "ABN"  or  “MONITOR 
MISMATCH"  indication. 

A. 03  is  the  failure 
J  rate  for  parts 
preventing  transfer 
and  resulting  in 
shutdown  upon  at¬ 
tempting  transfer. 
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IDENTIFICI 

Item 

Name 

tTION 

I.D. 

No. 

Function 

Failure 

Mode 

1 

Failure 

Effect 

Failure 

Rate 

(XxlO6) 

Remarks 

Control  Unit 
(CONTINUED) 

01 

! 

1 

Generation  { 
of  an  erro¬ 
neous  con¬ 
trol  signal 
that  shuts 
down  the 
main  trans¬ 
mitting 
unit. 

The  main  trans¬ 
mitter  is  shut 
down  for  at 
least  20  seconds. 
Independent  of 
the  persistence 
of  the  erroneous 
control  signal. 

1.039 

Nh 

Generation 
of  a  con¬ 
tinuous 
inhibit  to 
the  monitor 
channels. 

1 

The  monitor  chan¬ 
nels  are  inhibit¬ 
ed,  and,  hence, 
rendered  totally 
useless.  Although 
the  inhibit  does 
not  affect  the 
far  field  moni¬ 
tor  channels 
from  alarming, 
the  inhibit  does 
prevent  the 
alarm  from  being 
processed  in  the 
control  unit. 

0.232 

Ks 

Inabil  i  ty 
to  process 
a  main  in¬ 
hibit  to 
the  monitor 
channels . 

In  another  fai¬ 
lure  occurs  which 
initiates  a 
transfer  an 
immediate  shut¬ 
down  will  occur 
since  the  moni¬ 
tors  are  not 
inhibited  during 
the  transition 
period. 

0.545 

XIt 

Loss  of 
+13  volts 
in  control 
unit  power 
supply. 
(Note:  loss 
of  switched 
28v  is  also 
included) 

All  control  logic 
is  rendered  use¬ 
less.  Both  trans¬ 
mitters  shutdown; 
monitor  channels, 
however,  are 
inhibited  and, 
hence,  do  not 
alarm. 

0.88 

V 

1AA 

Combining 

Circuits 

49 

! 

The  combining  circuits 
assembly  of  the  far 
field  monitor  processes 
the  alarms  of  the  moni¬ 
tor  channels,  the  OC/DC 
converters,  the  battery 
charger  and  a  temoera- 
ture  alarm.  This  pro¬ 
cessing  Includes  the 
time  delays  necessary 
for  far  field  moni tor 
channel  alarms. 

! 

Generation 
of  a  shut¬ 
down  signal 

Immediate  shut¬ 
down  of  the 
entire  localizer 
station. 

1.145 

- 

Inability  to 
process  a 

1  moni tor 
alarm. 

Loss  of  far  field 

monitoring 

capability. 

1.630 

TA3LE  A.  Localizer  Failure  analysis 


Identification 


cai 

Function 

Ho 

Failure 

Effect 


Combini ng 

Circuits 

(CONTINUED) 


Inability  Effective  loss  oi 

to  process  a  far  field 

an  alarm  monitor  channel. 

from  a 

single 

monl  tor 

channel . 


This  failure  mode 
represents  the 
failure  of  that 
part  of  the  alarm 
processing  cir¬ 
cuitry  which  is 
duplicated  for 
each  monitor 
channel . 

\.QF  represents 
f  the  failure 
of  that  part  of 
the  alarm  pro¬ 
cessing  circuitry 
which  is  common 
to  both. 


Loss  of  dc  Immediate  shut- 
output  vol-  down  of  the  en- 
tage  on  tire  localizer 

+5v  regula-  station,  caused 
tor.  by  the  generation 

of  a  shutdown 
signal  from  the 
far  field 
monl tor. 


J 


1 
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Identification 

1 

Failure 

rate 

<Xx  1C6) 

Item 

Name 

1.1) 

No. 

Function 

Failure 

Mode 

Failure 

Effect 

Remarks 

Course  Trans¬ 
mitter  (MAIN 
or  STANDBY) 

02 

or 

07 

(N) 

The  course  transaltter 
delivers  a  VHF  carrier 
to  the  course  power 
amplifier.  The  carrier 
Is  also  aodulated  in 
the  transmitter  by  the 
1020  Hz  ID  tone  and 
also  the  low  frequency 
warning  signal 
(when  necessary). 

Loss  of  all 
modulation. 

Loss  of  ID  ra¬ 
diation  and 
warning  signal 
capability. 

1.446 

^NA 

*  ^2A 

or\7A 

Transfer  would 
not  occur  on 
failure  of 
standby  unit. 

NOTE: 

implies  the 

Loss  of  RF 
carrier. 

Loss  of 
course  C+SB 
and  SBO  sig¬ 
nals. 

7. 150 

failure  rate  of 
each  separate 

Item  identified 

In  the  •I.D.  No." 
column. 

Clearance 
Transml tter 
(MAIN  or 
STANDBY) 

04 

or 

09 

The  clearance  trans¬ 
mitter  delivers  a 
clearance  C+SB  to  the 
antennas  via  clear¬ 
ance  distribution 
circuits.  In  ad¬ 
dition,  VHF  carrier 
and  +18  vdc  are  fed 
directly  to  the 
sideband  generator 
for  the  operation 
of  clearance  SB0 
signal . 

Loss  of  all 
modulation. 

Loss  of 
sidebands  on 
the  C+SB  signal 

1.446 

\a 

Transfer  would 
not  occur  on 
failure  of 

Standby  unit. 

Loss  of  RF 
carrier. 

Loss  of  clear¬ 
ance  C+SB  and 
SBO  signals. 

7.150 

\b 

Sideband 
Generator 
(MAIN  or 
STANDBY) 

05 

or 

08 

Provides  clearance 

SB0  signal  to  the 
sideband  amplifier. 

Loss  of  out¬ 
put  signal . 

Loss  of 
clearance  SBO 
signal . 

10.250 

N, 

Transfer  would 
not  occur  on 
failure  of 
standby  unit. 

Modulator 
(MAIN  or 
STANDBY) 

03 

or 

08 

Provides  course 

VHF  carrier  am¬ 
plitude  modulated 
by  a  90  Hz  and 

150  Hz  signal , 

CSE  C+SB.  It 
provides  the 
course  SB0  signal; 

|  A  LOW  frequency 

90+150  Hz  signal 
which  feeds  the 
clearance  trans¬ 
mitter;  and  a 

90-150  Hz  signal 
feeding  the 
sideband  gene¬ 
rator. 

Loss  of 
low  freq. 
oscillator 
(14.4  KHz) 
resulting 

In  loss  of 
all  90  Hz 
and  150  Hz 
modulation. 

Loss  of 
the  following 
system  sig¬ 
nals; 

1.  LF  90+150 

2.  SB  In 
clearance 

C+SB 

3.  LF  90-150 

4.  Clearance 

SBO 

5.  Course  SBO 

6.  SB  In 
course  C+SB 

2.413 

\a 

Transfer  would 
not  occur  on 
failure  of 
standby  unit. 

Loss  of  VHF 
carrier  to 
digital 
phasing  ckts 
(to  either 
or  both  of 
the  90  i 

150  phase 
shifters). 

Loss  of  SB  In 
course  C+SB 
signal  A 
course  SBO 
signal . 

0.413 

\b 

A-5 


4 
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Identification 


Item 

toe 


Modulator 

(Continued) 


I 


I.D. 

No. 


03 

or 

08 


cUNCTlON 


Failure 

Mode 


Loss  of  90  or 
ISO  dividers, 
synchroniza¬ 
tion  circui¬ 
try  or  90/ 

150  Hz  shift 
registers. 


Loss  of  X./32 
driving  sig¬ 
nal  to  delay 
line  (either 
the  90  Hz  or 
ISO  Hz  phase 
shifter). 


Loss  of  A/16 
driving  sig¬ 
nal  to  the 
delay  lines 
(either  the 
90Hz  or  ISO 
Hz  phase 
shifter). 


Failure 

Effect 


Out  of 
tolerance 
course  and 
clearance 
C+SB  and  SBO 
signals. 


Slight  distor¬ 
tion  of  the 
course  C+SB 
and  SBO  sig¬ 
nals. 


Distortion 
somewhat  more 
than  X/32 
of  the  course 
C+SB  and 
SBO  signals. 


Loss  of  A/8, 
A/4,  X/4. 

A/2  or  X/2 
signal  to 
the  delay 
line,  (either 
the  90  Hz  or 
.SO  Hz  phase 
sM  fter). 


Loss  of  +90, 
-90,  +150  or 
-ISO  Hz  phase 
shifter  RF 
signal . 


Out  of  toler¬ 
ance  course 
C+SB  and 
SBO  signals. 


Out  of  toler¬ 
ance  course 
C+SB  and 
SBO  signals. 


Loss  of  +90, 
-90,  +150, 
or  -150  Hz 
phase  shift¬ 
er  RF  slgnel. 


Loss  of  ei¬ 
ther  90  Hz  or 
150  Hz  sinu¬ 
soidal  signal 
for  clear¬ 
ance  trans- 
mi  sslon. 


Out  of  toler¬ 
ance  SBO 
signal . 


Out  of  toler¬ 
ance  clear¬ 
ance  C+SB 
&  SBO  signals. 


Failure 

Rate 

XxlO' 


1.453 


2.426 

\o 


2.426 

\e 


12.832 

\f 


1.302 


0.5234 


NG1 


Remarks 


1.552 

\h 


Not  Hazardous. 


Not  Hazardous. 
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Identifica 

Item 

Name 

Function 

Failure 

Mode 

Remarks 

Modulator 

(Continued) 

03 

or 

08 

j 

Loss  of  90+ 
150  Hz  slgna1 

Loss  of  modula¬ 
tion  for  clear¬ 
ance  transmit¬ 
ter  resulting 
in  SB  loss  of 
clearance  C+SB, 

0.388 

V 

Loss  of  90- 
150  Hz  sig¬ 
nal 

Loss  of  clear¬ 
ance  SB0  sig¬ 
nal 

0.756 

\j 

Course  Monitor 
CHANNELS  (1  or 
2) (MAIN) 

35 

or 

36 

Provide  monitoring 
of  the  course  posi¬ 
tion  (DOM),  the  * 
nodiflation  (SOM), 
and  the  course  RF 
power  level . 

i 

Loss  of 

monitoring 

ability, 

producing 

alarms 

Loss  of  1  of 

2  monitors. 

Now  dependent 
on  remaining 
monitor  for 
system  con¬ 
trol  (trans¬ 
mitter  trans¬ 
fer  capability^ 

13.539 

K, 

If  another  cor¬ 
responding  moni¬ 
tor  alarm  failure 
occurs  in  the 
remaining  monitor, 
local izer  wil 1  trans¬ 
fer,  then  shut  down. 

Loss  of 
monitoring 
ability, 
producing 
no  alarms. 

Loss  of  1  of 

2  monitors. 

Now  dependent 
upon  remain¬ 
ing  monitor 
for  system 
control . 

5.62 

*NB 

If  the  same  failure 
occurs  in  the  remaining 
monitor,  hazardous 
radiation  will  go 
undetected. 

'  Clearance 
Monitor 

CHANNELS 
(1  or  2) 

43 

or 

44 

Provide  monitoring 
jof  the  clearance 

00M,  ?  modulation, 

|and  clearance  RF 
jpower  level . 

Loss  of 
monitoring 
ability 
producing 
a  1  a  rms . 

Loss  of  1  of 

2  monitors. 

Now  dependent 
upon  rema in¬ 
i'  ng  monitor 
for  system 
control . 

14.509 

X* 

NA 

If  another  corres- 
oonding  monitor  alarm 
failure  occurs  in  the 
remaining  monitor, 
local izer  wil 1  trans* 
fer,  then  shut  dovun. 

Loss  of 
monitoring 
ab  11 1  ty 
producing 
no  alarm. 

Loss  of  1  of 

2  mom  tors. 

Now  dependent 
upon  remain¬ 
ing  moni  tor 
for  system 
control . 

5.78 

I r  the  same  failure 
occurs  in  the  remaining 
monitor,  hazardous 
rad i at  ion  wi 1 1  go 
undetected. 

1.0.  Unit 
(Main  or 
Standby) 

06 

or 

11 

Provides  a  keyed 

1020  Hz  audio 
signal  (ID  TONE) 
to  aircraft  for 
runway  S  approach 
Identification. 

Loss  of  ID 

signal 

(audio) 

Transfer  to 
standby  unit. 

3.949 

\a 

Transfer  would 
not  occur  on 
failure  of 
standby  unit. 

Loss  of  code 
or  keying. 

Transfer  to 
standby  unit. 

13.134 

TABLE  A.  Localizer  Failure  Analysis 


Identification 


Failure 

Function 

Failure 

Failure 

Rate 

Mode 

Effect 

(Xxlf)6) 

Sensi ti vi ty 

V. 

Monitor 

or 

CHANNELS  M 
or  2! (MAIN) 

39 

The  course  peak  detec¬ 
tor  receives  a  simula¬ 
ted  course  position 
input  signal .  Thi s 
input  signal  Is  ob¬ 
tained  by  a  combination 
of  signals  obtained  by 
proximity  probes  at  the 
radiating  antennas.  The 
peak  detector  then 
converts  the  RF  signal 
into  a  low-frequency 
signal,  both  DC  and  AC. 
The  DC  is  representa¬ 
tive  of  the  RF  power; 
the  AC  is  the  demodu¬ 
lated  90/150/1020  Hz 
S i gnal . 


The  sensitivity  peak 
detector  receives  a 
Simulated  input  signal, 
representative  of  the 
course  width  (displace¬ 
ment  sensitivity).  This 
input  is  obtained  by  a 
combination  of  signals 
obtained  by  proximity 
probes  at  the  radiating 
antennas.  The  peak 
detector  converts  the 
RF  signal  into  a  low 
frequency  signal,  both 
DC  and  AC.  The  DC  is 
representative  of  the 
RF  power;  the  AC  is 
the  demodulated  90/150 
Hz  signal . 


The  clearance  peak 
detector  receives  a 
simulated  clearance 
input  signal .  This 
input  signal  is  ob¬ 
tained  by  a  combination 
of  si gna Is  obtai ned 
from  both  proximity 
probes  and  a  sampled 
signal  of  clearance 
C*S8  and  $80.  This  RF 
input  signal  is  con¬ 
verted  to  a  low-frequ¬ 
ency  signal,  both  AC  & 
DC.  The  DC  is  represen¬ 
tative  of  the  clearance 
RF  power;  the  AC  is  the 
demodulated  90/150  Hz 
clearance  signal . 


Provide  monitoring  of 
the  course  width  (ODM). 


Total  loss 
of  output 
signal 
(both  AC 
and  DC) 


Incorrect 
(low)  DC 
output 
signal . 


Total  loss 
of  output 
si gnal 
(both  AC 
and  DC) 


Incorrect 
(low)  DC 
output 
si gnal . 


Total  loss 
of  output 
s  i  gna  1 
(both  AC 
and  DC). 

Incorrect 
(low)  DC 
output 
signal . 


The  monitor 
channels  process 
the  failure  as 
being  a  drop  in 
course  RF  power 
and  an  increase 
in  modulation 
percentage, 
pausing  transfer 
then  shutdown. 


Loss  of  input 
signal  to  the 
sensitivity  mo¬ 
nitor  channels, 
causing  transfer 
then  shutdown. 


The  monitor 
channe’s  process 
the  signal  as 
being  a  drop  in 
course  RF  power, 
an  increase  in 
modulation  per¬ 
centage,  and  an 
decrease  in  DOM, 
causing  transfer 
then  shutdown. 


loss  of  input 
s ignal  to  clear¬ 
ance  monitors, 
causing  transfer, 
then  shutdown. 


The  monitor 
channels  process 
the  failure  as 
being  a  drop  in 
clearance  RF 
power,  an  in¬ 
crease  in  ODM, 
causing  transfer 
then  shutdown. 


If  another  corres¬ 
ponding  monitor  DON 
failure  occurs  in 
remaining  monitor, 
transfer,  then  shut¬ 
down  wil  1  resul t. 


1 
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Identification 


Item 

Name 


Sensitivity 

Monitor 

CHANNELS 

(1  or  2) 

(MAIN) 

(CONTINUED) 


Identi fica- 
tion  Moni¬ 
tor  Assem¬ 
bly  (I.D. 
Monitors 
No.  1  or  2) 


Identifi¬ 
cation 
Moni tor 
Assembly 
(Regulator/ 
Alarm  Logic 


I  A 

No. 


38 
or 

39 


34 


34 


-UNCTION 


Loss  of  moni¬ 
toring  abilityj 
producing  no 
lalarms. 


Each  I  .D.  monitor  re¬ 
ceives  its  respective  in 
put  from  the  AGC  outputs 
of  the  integral  course 
position  monitor  chan¬ 
nels.  Each  I.D.  monitor 
checks  its  input  signal 
for  the  presence  of  a 
keyed  (coded)  audio 
(1020  Hz)  tone.  An  alarm 
is  produced  whenever  a 
loss  of  audio  or  keying 
exists  over  a  definite 
time  interval. 


Loss  of  moni¬ 
toring  abilityj 
of  one  of  the 
main  I.D. 
monitors,  pro¬ 
ducing  an 
alarm. 


Loss  of 
Imonitoring 
ability  of 
one  of  the 
kin  I.D. 
|monitors,  pro¬ 
ducing  no 
alarm. 


The  I.D.  monitor  assem¬ 
bly  contains  the  two 
T.D.  monitors.  A  common 
voltage  regulator  (+12, 
+15 ,  -12V)  supplies 
power  to  both  monitors. 
Alarm  logic  is  also  con¬ 
tained  wi thi n  this 
assembly. 


Failure 

Mode 


Lo's  of  +12 
|volts  of 
regulator. 


Loss  of  +15 
volts  of 
regulator. 


Loss  of  -12 
volts  of 
regulator. 


Alarm  logic 
causing  a  ma1n| 
I.D.  a  1  a  rm . 


Failure 

Effect 


Loss  of  1  of  2 
monitors.  Now 
dependent  on 
remaining  moni¬ 
tor  for  system 
control . 


Loss  of  1  of  2 
I.D.  monitors. 
Now  dependent  on| 
remaining  I .D. 
monitor  for 
system  control . 


Loss  of  1  of  2 
I.D.  monitors. 
Now  dependent 
on  remaining 
monitor  for 
system  control . 


All  I.D.  moni¬ 
tors  are  ren¬ 
dered  useless. 
No  alarms  are 
produced  and, 
hence,  opera¬ 
tion  continues. 
I.D.  signal 
monitoring  is 
totally  lost. 


1 .0.  alarm  out¬ 
puts  go  to  a 
"high"  logic 
level .  The  con¬ 
trol  unit  pro¬ 
cesses  this  as 
an  immediate 
transfer  J  then 
a  shutdown. 


Alarms  on  al 1 
I.D.  monitors 
causing  an  im¬ 
mediate  transfer] 
and  then  a 
shutdown. 


The  control  u- 
nit  processes 
this  as  an  im¬ 
mediate  trans¬ 
fer  and  then  a 
shutdown. 


Failure 

Rate 

(Xxl'J6) 


3.12 


5.742 
(total ) 

^34A1  * 

34  A2  ■ 


X. 

X 


34A3 

1.914 


1.050 

^34B 


0.423 

X34E 


0.137 

\4F 


0.290 

\sG 


0.262 

X 

34H 


Remarks 


Only  DDM  monitor¬ 
ing  circuitry 
is  critical.  If  the 
same  failure  occurs  in 
the  remaining  monitor, 
hazardous  radiation  will 
go  undetected. 


If  another  such 
failure  occurs 
in  the  I .0. 
monitor,  the 
system  will 
immediately 
transfer  and 
then  shut  down. 


Not  hazardous. 
The  I.D.  signal 
is  assumed  non- 
essential  . 


Not  hazardous. 
I  .D.  Signal 
assured  not 
critical . 


•r 


A-  ? 
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Identifk 

Item 

Name 

:ation 

I.D. 

No. 

Function 

Failure 

Mode 

- j 

Failure 

Effect 

Failure 

Rate 

(XxlO5) 

Remarks 

Identifica¬ 
tion  Monitor 
Assembly 
(Regulator/ 
Alarm  Logic) 
(CONTINUED) 

34 

- - - - J 

Alarm  logic 
inhibiting 
the  main 

I.D.  alarm. 

Loss  of  main 

I.D.  monitoring 
ability. 

0.434 

^41 

Not  hazardous  - 
I.D.  signal 
assumed  not 
critical . 

Alarm  logic 
inhibiting 
the  main 

I.D.  alarm. 

Shutdown  of 
standby  trans¬ 
mitting  unit. 

0.172 
^34J  1 

| 

Alarm  logic 
inhibiting 
the  standby 
I.D.  alarm. 

Loss  of  standby 
I.D.  moni toring 
abil ity. 

0.242 

^34K 

Hazardous  -Xj4|( 
is  similar  to 

x,._ 

34  D 

Alarm  logic 
causing  a 
mismatch. 

No  serious  ef¬ 
fect  on  system. 

0.160 

V 

Not  hazardous. 

Changeover 
and  Test  Cir¬ 
cuits  (Peak 
Detectors 

Excl uded ) 

12 

i 

The  changeover  and  test 
circuits  provide  the  au¬ 
tomatic  changeover  capa¬ 
bility  for  the  redundant 
transmitting  units.  It 
selects  upon  command 
from  the  control  unit 
which  transmitting  unit 
radiate:,  into  the  an¬ 
tennas  and  which  unit 
operates  into  duiwiy  loads 

Inability  to 
changeover 
transmi tting 
units  by 
switching  j 
circuitry. 

1 

Any  failure  on 
the  main  unit, 
which  should 
only  generate 
a  changeover  to 
Standby,  will 
result  in  a 
system  shutdown. 

0.221 

\» 

Essentially  ren¬ 
ders  the  standby 
unit  useless. 

Premature 
transfer  of 
transmi tting 
units  to 
antennas  by 
swi tching 
circuity. 

If  in  MAIN,  a 
transfer  to 
STANDBY  will 
occur;  if  in 
STANDBY,  a  trans 
fer  to  OFF  will 
occur.  This  is 
due  to  a  momen¬ 
tary  loss  of 
signal . 

0.134 

^12B 

Essentially  ren¬ 
ders  either  the 
main  or  standby 
transmitter 
useless . 

Total  loss 
(or  incor¬ 
rect  phasing 
of  course 

S30  signal 
of  the  main 
transm' tting 
uni  t. 

Alarms  on  moni¬ 
tor  channels 
initiate  a  trans. 
fer  to  standby 
and  system 
operates  on 
standby. 

0.065 

V 

120 

Changeover  &  12 

Test  Circuits 
(CONTINUED) 


Course  Oistri-j  13 
bution  Cir¬ 
cuits  : 


Clearance  |  14 
Distribution  , 
Circuits 


Battery 

Charger 


Total  loss  (Alarms  on  the 
(or  incor-ect!  clearance  mon¬ 
phasing)  of  |  i tors  initiate 
clearance  SBOi  a  transfer  to 
signal  of  thej  standby  A  sys- 
main  trans-  j  tem  operates 
mitting  unit.!  on  standby. 


Loss  of  any 
one  or  all  of1 
CSE  C+SB,  CSE! 
SBO,  CL  C+SB,; 
CL  SBO,  (to 
main  trans-  i 
mitter) 


Immediate  ]  2.417 
shutdown  after!  \ 
an  automatic  I  12F 
transfer.  !  (Total ) 


=  1.209 


The  course  distribution 
circuit  distribute  the 


A  total  loss  j  Since  a  fai- 
UILUIL  U  l)U  1UULC  LIC  of  signal  fort  lure  of  this 
course  C+SB  A  SBO  signals!  any  signal  type  is  inde- 
to  the  antennas.  j  path;  incor-  ,  pendent  of  the- 

I  rect  phasinq  transmitting 
■  of  either  of  unit,  an  im- 
the  radiated  mediate  shut- 
signals;  dis-  down  after  an  j 
tortion  suf-  !  automatic 
'  ficient  to  .  transfer  will 
'■  cause  moni  tori  resul  t. 
ala  rms . 

Loss  of  SBO.  Immediate 

shutdown  after 
;  t  rans  fer . 

1 


The  clearance  distribu-  i  A  loss  (or  Upon  'ailure, 
tion  circuits  route  and  j  major  distor-  an  immediate  ; 
distribute  the  clearance1  tion)  of  sig-  transfer  fol-  ■ 
C+SB  &  SBO  signals  to  nal  for  any  lowed  by  an 

the  antennas.  clearance  immediate 

signal  path,  shutdown  will 
occur. 


nal  for  any 
clearance 
signal  path. 


The  battery  charger  sup¬ 
plies  all  the  dc  power 


Loss  of 
charger  out-  | 


System  wil 1 
operate  3  hrs 


to  all  the  equipment  of  j  put  voltage.  !  on  batteries 


the  localizer  station. 
(The  far  field  monitor 
has  its  own  power  source 
In  addition  to  supplying 
the  power  to  the  electro- 
!  nic  equipment,  the  bat-  , 
I  tery  charger  ensures 
-  that  a  fill  1  charge  is  j 
|  constantly  maintained  on 
thofhhaftp.-' 


(Note:  the  !  after  charger 
nominal  out-  !  failure, 
put  voltage  j 
is  30  volts  I 
DC)  I 


X  incl  udes  both 
12F 

the  course  and 
clearance  failure 
rates. 


Since  any  signal 
degradation  suf¬ 
ficient  to  be  "out 
of  tolerance"  has 
the  same  net  e+- 
!  feet,  all  doss i ble 
!  fa i 1 ure  modes  may 
be  treated  on  an 
1  aggregate  basis . 


ST' ,D0“  and  -'or  RF 
alarms  an  the  mo¬ 
nitors  are  depen¬ 
dent  upon  specific 
railure  character¬ 
istics. 


.  1 
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Identification 


Item 

Name 


I.D. 

No, 


Function 


Fa ilure 
Mode 


Failure 

Effect 


CA I  LURE 
Kate 

( Xxin6) 


i 


Pemarks 


Battery 

Charger 

(CONTINUED) 


15  In  the  event  of  a  primary  |Charger  fai-l  No  immediate 

power  failure,  the  two  Ilure  indica-i  effect  on  sys- 
[batteries  (in  parallel)  sup-jtion  only  I  tern  operation, 
jply  t1  a  necessary  dc  power,  ^hile  out- 
;  put  voltage  i 

|i  s  s  t  i  1 1 
iintained 
Dn  charger.  '■ 


oss  of 
qua  1 1 ze 
oltage  ca- 
,abil  ity, 
ither  man¬ 
ual  and/or 
putoma  ti  c. 

Note:  the 
|  equal i ze 
[  vol tage  is 
a  nomi nal 
|  13  vol ts 
dc,  thus 
provi ding 
[  a  "hard 
1  charge"  to 
!  the  bat¬ 
teries  . 
l 


No  i  mme  d  i  a  te 
effect  on 
system 
operation. 


0.801 

\e 


Not  hazardous; 
both  transmitters 
still  available 
(after  downgrade. 


6.436 

\c 


'Not  hazardous; 
a  total  discharge 
of  the  batteries 
can  occur  only 
after  the  system 
is  operated  on 
jbatteries  for 
|some  extended 
period  of  time 
(greater  than 
.three  hrs  ) .  System 
operation  on  bat¬ 
teries  is  a  result 
!of  either  primary 
(power  supply  failure 
or  a  failure  of 
charger. 


DC /DC  17 

Converter 

(No.  1  or  2)  °r 

.•  18 


Each  nf  the  OCOC  cnnver-  ]  loss  of  any|  Station  main-  1 

ters  transforms  the  *30  j  one  or  all  ■  tains  normal 

volts  nominal  input  voltage]  the  fol-  operation  on 
to  three  di£rerent  output  lowing  remaining  con- 

voltaqes:  *5,  tv,  -18v,  &  i  voltages:  verter  voltagesL 

-50v.  The  output  voltages  '  »5,5v,  -18vj,Each  of  the  j 

of  each  converter  are  res-  l-50v.  (converter  vol- 

pectively  used  in  parallel  ]  I  tages  is  | 


6.598  ;To  result  in  a 

\  station  shutdown, 

N  both  converters 

jnust  fa  il . 


and  feed  both  modulators  in| 
the  system. 


sensed  in  the 
!  control  unit 
1  for  abnormal 
i  tolerances . 


Temp  Sensors 


P  (The  temperature  sensors  [Failure 

[provide  alarm  indications  ^producing 
[whenever  the  temperature  !an  alarm 
[exceeds  or  drops  below  [indication, 
(preset  limits.  These  limits: 

(are  set  to  give  indication 
of  air  conditioner/heater 
fa i lures . 


I, .mediate  shut-, 
iown  of  local-  ] 
Per  station. 


0.100  'emperature  alarm 

\  is  optional  for 

/  19A  CAT.  II. 


Failure  [There  are  2  sen 
(producing  | sors ( thermocou- 
Ino  alarm  iplesl-one  for 


I  indication. 


h i gh  temps  $ 
one  for  low. 
A  failure  of 
this  type  in 


Not  hazardous . 

If  temperature 
affects  system 
operation,  other 
alarms  will  occur. 


TA3LE  A.  localizer  Failure  Analysis 


PAGE  12  OF  15 


Identification 

! 

r .  . . -  . . 

i 

l  1 

Item 

ji.r. 

Function 

Failure 

i 

i 

|  Failure 

[Failure 

Rate 

Name 

No. 

Fode 

!  Effect 

K  /VxI'J  ) 

l 

Remarks 


Temp  Sensors  19 
(CONTINUED) 


Failure 
produci ng 
no  alarm 
indication. 
(CONTINUED) 


lone  of  the  sen¬ 
iors  does  not 
affect  the  ope¬ 
ration  of  the 
other.  Hence, 
the  only  effect 
is  the  loss  of 
temp,  monitor¬ 
ing  abil i ty  for 
only  one  temp, 
extreme  (high 
or  low). 


DC/DC  Conver-  51 
ter  (No.  1 
or  No.  2)  or 
(FEW)  52 


Each  of  the  OC/OC  conver-  Loss  of  -18v  System  maintains  2.412 


|  ters  of  the  far  field 
monitor  provides  -18v, 
i  used  in  the  monitor  chan- 
I  nels  and  the  receivers. 
They  are  in  parallel  and 
isolated  by  diodes . 


operation  on 
remaining  con¬ 
verter.  If  the 
remaining  con¬ 
verter  also 
fails,  the 
localizer  sta¬ 
tion  wi 11  shut 
down,  due  to 
monitor  channel 
la  1  arms. 


Battery  50 

Charger 


Generation 
of  an  erro¬ 
neous  con¬ 
verter  fail 
alarm. 


|  The  battery  charger  sup¬ 
plies  *24  volts  to  each 
'of  the  units  at  the  far 
i field  monitor  -  the  two 
j converters,  the  three  * 
| receivers  and  their  res- 
jpective  monitor  channels,  I 
and  the  combining  circuits; 
(assembly.  The  battery 
charger  also  keeps  a  full 
[charge  on  the  battery  at 
all  times. 


["■Abnormal"  indi- 
I  cation  at 
|  remote  control 
panel . 


Loss  of  *24  System  maintains  5.790 
volts  output. operation  on  L 

[far  field  moni-  '50A 

jtor  battery. 

i - 1 — - - - . — - 

"Low  voltage"’If  another  f a i -  0.519 

I  battery  dis-  Ture  of  the  bat-  iy 
connect  cir-  tery  charger  50B 

cuit  fa  i  lure  ,pausi  ng  loss  of 
disconnecting*?4  v  occurs, im- 
the  battery  mediate  shutdown 
from  the  loadpf  the  localizer 


Not  hazardous; 
both  converters 
still  operational 


Note  failure  mode 
has  the  same  effect 
as  an  ffm  battery 
failure. 


Station  will 
resul  t. 

Loss  of 
equal ize 
charge  capa¬ 
bility  after 
a  power  out¬ 
age. 

Does  not  af¬ 
fect  system 
operation.  A 
trickle  charge 
will  still  be 
applied  to  the 
battery. 

0.318 

\oc 

Not  hazardous. 

"Quick  charge"  ca¬ 
pability  does  not 
directly  affect 
nonitoring 
performance. 

Generation  of 
an  erroneous 
charger  fail 
al  arm. 

"Abnormal " 
indication  at 
renote  control 
panel . 

0.126 

^50D 

lot  hazardous;  far 
field  monitoring 
lot  affected. 

TAELE  A. 
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Identification 

i 

j 

i 

— 

:AILURE 

^ATE 

(XxlO6) 

Item 

Name 

o  - 

■  :■* 

cUNCT10N 

t 

;  Failure 

PODE 

Failure 

Effect 

Remarks 

Battery 

Charger 

(CONTINUED) 

50 

r  ■  i 

1  Continuous  Far  field  mo-  1  7.658 

equalise  nitor  maintain^  \ 

voltage  only  normal  opera-  j  ,X50E 

tion  at  a 
slightly  hi gh-  ! 
er  supply  ! 

voltage.  j 

;  l 

Not  hazardous;  pre¬ 
ventive  mainte¬ 
nance  required  for 
battery  check. 

Recei  ver 

No.  1  or 

Mo.  2 

53 

or 

54 

Each  of  the  far  field  mon-  Total  loss 

itor  receivers  receives  a  of  output 

low  level  rf  input  signal  signal  or 

and  converts  it  to  the  I LS  any  major 

audio  and  dc  signal  which  isi  signal 
then  the  input  to  the  res-  distortion, 
pective  moni tor  channel. 

The  DOM  of  the  audio  signal 
is  representative  of  the 
far  field  course  position. 

Loss  of  tne  in¬ 
put  signal  to 
the  correspond¬ 
ing  f  a  r  field 
monitor  chan¬ 
nel  will  oro- 
duce  a  FFM 
monitor  mis¬ 
match.  Loss  of 
!  of  2  FFM 
monitors.  Now 
dependent  on 
rema  ining 
monitor  eor 
system  opera- 
ti  on. 

6.879 

N 

The  SDM  strap 
option  provided 
remote  recognition 
of  failure. 

Moni  tor 
Channels 

No.  1  or  2 

56 

or 

57 

To  provide  m'nitorinq  of 
the  course  position  in  the 
car  field  region  of  the 
runway. 

toss  of 
:  moni tori ng 
abili ty. 

Loss  of  1  of 

2  monitors. 

Now  dependent 
on  remaining 
moni tor . 

0.825 

\a 

toss  of 
moni tori ng 
abi  1  i  ty  ,  pro 
ducinq 

3DM  alarm. 

Loss  of  1  of  2 
monitors.  Now 
-dependent  on 
remaining  moni  a 
.tor  for  system 
operation. 

11.099 

\ 

1  NB 

1  Loss  of  moni 
toring  abi¬ 
lity  produc¬ 
ing  no  alarm 

-Loss  of  I  of  2 
monitor  voting 
capabi 1 i ty . 

Now  dependent 
on  remaining 
monitor  for 
fir  field 
moni  *:ori  ng. 

4.422 

%c 

remo. 

Sensor 

59 

] 

Monitors  the  temperature 
of  the  EFM  for  out  of 
tolerance  conditions. 

Generation  of  "Abnormal" 

’an  erroneous  indication  at 
temp,  alarm,  remote  con- 
1  :  trol  oanel . 

2.050 

A 

59A 

Not  hazardous;  far 
fi  el  -1  mom  tori  ng 
still  available 

| 

j 

i 

i 

i 

i 

I 

Inabi 1 i ty  to 
;produce  a 
Itemp.  alarm. 

,  Loss  of  temp. 

.  moni  toring 
abi  1  i  ty  with¬ 
out  recogni- 

0.050 

X 

59B 

Not  hazardous  ;  i  f 
temperature  affects 
monitoring,  alarms 
will  occur. 

TABLE  A.  Localizer  Failure  Analysis 
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Identification 


Item 

Name 


Course  Power 
Ampl  1  fier 


Course  Power 

62 

Ampl i fier 

or 

Power  Supply 

63 

Sideband 

Amplifier 


Course  Re- 

Combination 

Circuits 


Clearance  Re 
Combi  nation 
Circuits 


Course  An¬ 
tenna  Array 


i.n. 

No. 


60 

or 

61 


64 
or 

65 


66 


67 


68 


Deliver  an  amplified  UHF 
carrier  to  the  modulator. 
The  carrier  is  modulated 
in  the  transmitter  by  the 
1020  Hz  I.D.  tone  and  the 
low  frequency  warning 
(signal . 


Function 


Loss  of  RF 
carrier. 


Provides  1020  Hz  modular 
ed  +20  volts  to  course 
power  amplifier. 


Provides  clearance  SB0 
signal  to  the  sideband 
ampli fier. 


Constructs  the  signals 
used  for  monitoring 
course  position,  ccurse 
width,  percent  modulation ) 
and  RF  power. 


Constructs  the  signals 
for  monitoring  the 
clearance  DOM,  percent 
modulation,  and  RF  power. 


Radiate  the  course 
position  signal . 


-ailure 

Mode 


Loss  of  course! 
C+SB  and  SB0 
signals. 


Loss  of  +20 
volts. 


Loss  of  course| 
C+SB  and  SB0 
signals. 


Loss  of  all 
modulation. 


Loss  of  out¬ 
put  s ignal . 


Failure  caus¬ 
ing  a  loss  (or) 
incorrect)  of 
Signal  to  the 
on  course  or 
course  sensi¬ 
tivity  moni¬ 
tors. 


Failure  caus¬ 
ing  a  loss  (or) 
incorrect) 
signal  to  the 
clears  nee 
moni  tors. 


Failure  caus¬ 
ing  a  loss 
(or  incorrect )| 
signal  to  the 
course  moni¬ 
tors  . 


Failure 

Effect 


Loss  of  I.D 
radiation  and| 
warning  sig¬ 
nal  capabi¬ 
lity. 


Loss  of 
clearance 
SB0  Signal . 


Upon  failure, 
an  immediate 
transfer 
followed  by 
an  immediate 
shutdown  wi  1 1 
occur. 


Upon  failure, | 
an  immediate 
transfer 
followed  by 
an  immediate 
shutdown  will 
occur. 


Upon  failure, | 
an  immediate 
transfer 
followed  by 
an  immediate 
shutdown  wi  1 1 
occur. 


Failure 

Kate 

(XxiaH 


4.727 


9.984 

Xna 


0.493 

X 

NB 


2.631 


1.116 

'Ne 


0.311 

\7 


1.347 

\8 


Remarks 


Since  any  signal 
degradation  suf¬ 
ficient  to  be  out 
of  tolerance  has 
the  same  net  ef¬ 
fect,  all  possible 
failure  modes  may 
be  treated  on  an 
aggregate  basis. 


SDM,  DDM,  and/or 
RF  alarms  on  the 
monitors  are  de¬ 
pendent  on  speci¬ 
fic  failure 
characteristics . 


5 
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Identification 

cUNCTION 

Failure 

f^ODE 

Failure 

Effect 

Failure 

Rate 

(XxlO5) 

demarks 

Item 

Name 

1  ,D. 

No. 

Clearance 

Antenna 

Array 

i 

! 

69 

! 

Radiates  the  clearance 
signals. 

Failure  caus 
a  loss  (or 
Incorrect) 
signal  to 
the  clear¬ 
ance  monitor 

Upon  failure, 
an  inmedlate 
transfer  fol¬ 
lowed  by  an 
Immediate  shut¬ 
down  will  occur 

0.615 

A  *-■  4 


AP°ENDIX  B 


GLIDESLOPE  SUBASSEMBLY  FAILURE  MODES  AND  RATES 


NOTE:  In  the  failure  analysis  tables  a  single  asterisk  super¬ 
script  )  indicates  that  the  failure  rate  for  that  failure 
mode  is  different  from  the  corresponding  value  for  the  CAT.  Ill 
system  as  given  in  Ref.  3.  A  double  asterisk  superscript 
indicates  a  completely  new  failure  mode.  All  other  failure  rates 
are  from  Ref.  3. 


TABLE  3.  Ali deslope  Failure  Analysis 
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Identification 


The  control  unit  processes 
alarms  received  from  the 


Generation 
of  an 


monitor  channels,  providing  erroneous 


signals  to  transfer  main 
to  standby,  to  shut  down 
both  transmitters,  or  to 
indicate  a  monitor  mis¬ 
match.  In  addition,  the 
control  unit  generates 
inhibit  signals,  displays 
both  locally  and  remotely 
transmitter  status,  and 
displays  various  power/ 
temperature  alarm  condi¬ 
tions.  Operational  fea¬ 
tures,  such  as  bypass  of 
monitors,  main  unit  se¬ 
lect,  and  memorization  of 
alarms  are  also  associated 
with  the  control  unit. 


transfer 
signal . 


FAILURE 

EFFECT 


FAILURE 


(  \x!0  ) 


Causes  a 
transfer  to 
standby. 


,x;«- 

1.829) 


Generation 
of  an 
erroneous 
shutdown 
signal  due 
to  alarm 
processing 
circuitry. 


Inabil ity  to 
process  a 
transfer 
signal . 


Immediate 
system  shut¬ 
down. 


Monitoring  of 
the  integral 
course,  sensi¬ 
tivity,  I.D., 
and/or  clea¬ 
rance  is 
virtually 
rendered 
useless. 


2.870 

'\V 

1.140) 

(\*  ■ 
1  02 
0.913) 

(V  * 

103 

1.730) 


X*  is  the 
1A1 

failure  rate 
for  parts 
allowing  a 
spontaneous 
transfer  to 
standby  trans- 
mi  tter. 

V  *  is  the 
UA2  failure 
rate  for  parts 
which  can  fai  1 
such  that  a 
transfer  is 
made  &  a  per¬ 
sisting  trans¬ 
fer  signal 
will  cause 
shutdown. 


\*  is  the  fai- 
1 D 1  lure  rate 
for  parts  allow¬ 
ing  faulty  signal 
to  persist. 

X*  is  the  part 

lt>2  of  X* 

1D1 

including  only 
failures  which 
would  not  re¬ 
sult  in  an  "ABN" 
or  "MONITOR  MIS¬ 
MATCH"  indication 

X*  1  s  the 
103  failure 
rate  for  parts 
preventing  trans¬ 
fer  &  resulting 
In  shutdown  upon 
attempting  trans¬ 
fer. 


Inability 
to  process 
any  or  all 
power /envi¬ 
ronmental 
alarms. 


Loss  of  remote 
recognition  of 
respective 
alarm  condl- 
tl  ons . 


Identification 


FAILURE 

FAILURE 

FAILURE 

RATE 

MODE 

EFFECT 

(\xlOs) 

Generation 

The  main  trans 

1.039 

of  an  erro- 

mitter  is  shut 

Mm 

neous  con- 

down  for  at 

trol  signal 

least  20  sec. 

that  shuts 

independent 

down  the 

of  the  persis- 

main  trans- 

tence  of  the 

mitting  unit 

erroneous 
control  signal 

Generation 

— 

The  moni tor 

0.232 

of  a  con- 

channels  are 

Ms 

tinuous  in- 

i nhi  bi  ted  and , 

hibit  to 

hence,  ren- 

the  monitor 

dered  totally 

channels. 

useless . 

Inability  to 

If  another 

0.54S 

process  a 

failure  occurs 

\* 

main  inhibit 

which  initi- 

IT 

to  the 

ates  a  trans- 

monitor 

fer,  an 

channels . 

immediate 
shutdown  will 
occur  since 
the  monitors 
are  nnt  inhi¬ 
bited  during 
the  transition 
period. 

Loss  of  *12 
volts  in 
control 
unit  power 
supply. 
(Note:  loss 
of  switched 
28v  is  also 
included. ) 


All  control 
logic  is 
rendered  use¬ 
less.  Both 
transmi tters 
shut  down; 
monitor  chan¬ 
nels,  however, 
are  inhibited 
and,  hence, 
do  no  t  alarm. 


f 

TABLE  B.  Glideslope  Failure  Analysis 
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Identification 

FAILURE 

item 

NAME 

I.D. 

NO. 

FUNCTION 

FAILURE 

MODE 

FAILURE 

EFFECT 

RATE 

(KxlO6) 

REMARKS 

1 

.Course  Trans- 
Hitter  (MAIN 
or  STANDBY) 

02 

dr 

06 

(N) 

The  course  transmitter  In 
conjunction  with  the  10 
watt  amplifier  delivers 
a  UHF  carrier  to  the 
modulator. 

loss  or  de¬ 
gradation  of 
UHF  carrier. 

Loss  of  all 
course  signal 
radiation, 
affecting  the 
entire  glide- 
path  angle  and 
width. 

6.734 

\ 

Transfer  would 
not  occur  on 
failure  of  stand¬ 
by  unit. 

J 

Clearance 
Transmitter 
(MAIN  or 
STANOBY) 

04 

or 

08 

The  clearance  transmitter 
supplies  a  UHF  carrier 
modulated  at  150  Ha  which 
Is  used  to  ensure  low 
approach  angle  coverage. 

Loss  or 
degradation 
of  the  150  Hz 
modulation. 

Loss  of  clear¬ 
ance  coverage 
of  approach 
angle.  (Pure 
carrier  radia¬ 
ted)  . 

1.914 

^NA 

Transfer  would 
not  occur  on 
failure  of  stand¬ 
by  unit. 

' 

Loss  or 
degradation 
of  UHF  car¬ 
rier. 

Loss  of  clear-! 
coverage  of 
approach 
angle. 

6.734 

^N8 

10  Hatt  Am- 
pllfler  (MAIN 
or  STANDBY) 

05 

or 

09 

the  10  watt  amplifier 
merely  amplifies  the 
course  UHF  carrier. 

Loss  or 
degradation 
of  UHF 
carrier. 

Loss  of  all 
course  signal 
radiation. 

0.686 

K 

Transfer  would  not 
occur  on  failure 
of  stand-by  unit. 

.1 

1 

> 

Modulator 
(MAIN  or 
STANDBY) 

03 

or 

07 

i 

Provides  course  UHF 
carrier  amplitude  modu¬ 
lated  by  a  90Hz  and 

150  Hz  signal,  CSE  C+SB. 
It  provides  the  course 

SBO  signal;  a  low  fre¬ 
quency  150  Hz  signal 
which  feeds  the  clearance 
transmitter.  (Two  freq¬ 
uency  glideslope  only: 
no  clearance  signal  from 
the  one  frequency  glide- 
slope). 

!  i 

Loss  of  low 
frequency  os¬ 
cillator 
(14.4  kHz) 
resulting  In 
loss  of  all 
90Hz  and 

150  Hz  modu¬ 
lation. 

Loss  of  the 
following  sys¬ 
tem  signals : 

1.  LF  150 

2.  SB  In  clea¬ 
rance  C+SB 

3.  Course  SBO 

4.  SB  in 
course  C+SB 

2. 613 
^NA 

Transfer  would 
not  occ»r  on 
failure  '  stand¬ 
by  unit. 

x 

l 

! 

Loss  of  UHF 
carrier  to 
digital  phas¬ 
ing  ckts.  (to 
either  or 
both  of  the 

90  and  150 
phase  shif¬ 
ter) 

Loss  of  SB  in 
course  C+SB 
signal  and 
course  SBO 
signal. 

0.427 

^NB 

1 

1 

j 

i 

* 

[ 

f 

A 

i 

1  r 

Loss  of  90  or 
150  Hz  divi¬ 
ders,  syn¬ 
chronization 
circuitry  or 
90/150  Hz 
sht't  regis¬ 
ters. 

Out  of  tole¬ 
rance  course 
C+SB  and  SBO, 
and,  for  two  • 
frequency 
glideslope, 
clearance  C+SB 
signals. 

1.453 

B-5 


Identifica 

ITEM 

NAME 

TION 

I.D. 

NO. 

FUNCTION 

FAILURE 

MODE 

FAILURE 

EFFECT 

FAILURE 

RATE 

(XxlO6 

REMARKS 

Modulator 
(MAIN  or 
STANDBY ) 
(CONTINUED) 

03 

or 

07 

! 

. 

Loss  OfXjj 

driving  signal 
to  delay  line 
(either  the 
90Hz  or  150  Hz 
phase  shifter) 

Slight  dis¬ 
tortion  of 
the  course 
C+SB  and  SBO 
signals . 

2.426 

\d 

Not  hazardous. 

Loss  ofX^g 

driving  signal 
to  the  delay 
lines  (either 
the  90  Hz  or 
150  Hz  phase 
sht  fters ). 

Distortion 
somewhat  more 
than 

the  course 
C+SB  and  SBO 
signals. 

2.426 

XNE 

Not  hazardous. 

Loss  ofXo, 

\.x  X 

V  4*  2* 

orA^  signal 

to  the  delay 
line,  (either 
the  90  Hz  or 
150  Hz  phase 
shi  fters) 

Out  of  toler¬ 
ance  course 
C+SB  and  SBO 
signals. 

12.832 

V 

Loss  of  +90, 
-90,  +150,  or 
-150  hz  phase 
shifter  RF 
signal . 

Out  of  toler¬ 
ance  C+SB 
signal . 

m 

Loss  of  +90, 
-90,  +150,  or 
-15o  Hz  phase 
shifter  RF 
signal. 

Out  of  toler¬ 
ance  SBO 
signal. 

0.5234 

Ki 

Loss  of  the 

150  Hz  sinu¬ 
soidal  signal 
for  clearance 
transmission. 

Out  of  toler¬ 
ance  clear¬ 
ance  C+SB 
signal . 

1.176 

\h 

The  one  frequency 
gli deslope  does  not 
radiate  a  clearance 
signal  . 

Course  Moni¬ 
tor  Channels 
(1  or  2) 

(MAIN) 

34 
or 

35 

Provide  monitoring  of 
the  course  position  path 
angle  (ODM),  the  I  modu¬ 
lation  (SOM)  and  the 
course  UHF  power  level. 

Loss  of  moni- 
torl  ng  abll  1  ty 
producing 
alarms. 

Loss  of  1  of 

2  monitors. 

Now  dependent 
on  remaining 
monitor  for 
system  con¬ 
trol  . 

12.918 

If  another  corresp¬ 
onding  monitor 
alarm  failure  occur¬ 
red  in  the  remaining 
monitor,  glideslope 
will  transfer,  then 
shutdown. 

Loss  of  monl- 

Loss  of  1  of 

5.065 

If  the  same  failure 

torlng  ability  2  monitors.  \*  occurs  In  the  remaining 

producing  Now  dependent  ''nb  monitor,  hazardous 

no  alarms.  on  remaining  radiation  will  go 

monitor  for  undetected, 

system  con- 


FAILURE 


FAILURE 

EFFECT 


FAILURE 

RATE 

( Xxio6) 


Near  Field 
Monl tor 
Channels  1 
or  2 


Cl  ea  ranee 
Monitor 
(Channels 
1  or  2) 
(MAIN) 


Provide  monitoring  of 
the  course  width  (DDM) 


Loss  of 
monl  tori  ng 
ability 
producing 
no  alarms . 


Provide  monitoring  of  Loss  of  mo- 

the  near  field  course  nitoring 

position  path  angle  (DDM)  ability 

producing 

alarm. 


Provide  monitoring  of 
of  the  clearance  DOM,  % 
modulation,  and  clear¬ 
ance  UHF  power  level. 

(Two  frequence  gl  ide  slept 
only.  No  clearance 
signal  from  the  one 
frequency  glide si  ope). 


Loss  of  mo- 
ni  toring 
ability 
producing 
no  alarm. 


The  near  field  peak  de¬ 
tector  receives  its  in¬ 
put  signal  from  a  near 
field  antenna.  The 
received  RF  signal  is 
representative  of  the 
course  alignment.  The 
peak  detector  then  con¬ 
verts  to  the  RF  signal 
Into  a  low-frequency  sig¬ 
nal,  both  OC  S  AC.  The 
DC  Is  representative  of 
the  course  RF  power;  the 
AC  is  the  demodulated 
90/15D  Hz  course  signals. 


Loss  of  mo- 
ni  tori ng 
ability 
produci ng 
no  alarm. 


Loss  of 
detected 
output  sig¬ 
nal  . 


Loss  of  1  of 
2  monitors. 
Now  dependent 
on  remaining 
monitor  for 
system  control 


Loss  of  1  of 
2  monitors. 

Now  dependent 
on  remaining 
monitor  for 
system  control 


Loss  of  1  of 
2  monitors. 

Now  dependent 
on  remaini  ng 
monitor  for 
system  control 


Loss  of  1  of 
2  monitors. 

Now  dependent 
on  remaining 
monitor  for 
system  control 


Loss  of  1  of 
2  monitors. 

Now  dependent 
on  remaining 
monitor  for 
system  controll 


Loss  of  1  of 
2  monitors . 
Now  dependent 
on  remaining 
monitor  for 
system  control 


Loss  of  the 
input  signal 
to  the  near 
field  monitor 
channels, 
causing  a 
shutdown. 


11.099 


If  another  corres¬ 
ponding  DDM  failure 
occurs  in  the  re¬ 
maining  monitor, 
gl ideslope  will 
transfer,  then 
shutdown . 


If  the  same  failure 
occurs  in  the  re¬ 
maining  monitor, 
hazardous  radiation 
will  go  undetected. 


If  another  corres¬ 
ponding  monitor  alarm 
failure  occurred  in 
the  remaining  monitor 
immediate  gl  ideslope 
shutdown  will  result. 


If  the  same  failure 
occurs  in  the  re¬ 
maining  monitor, 
hazardous  radiation 
will  go  undetected. 


If  another  cor¬ 
responding  moni¬ 
tor  alarm  failure 
occurred  in  the 
gl ideslope  will 
transfer,  then 
shutdown. 


If  the  same  failure 
occurs  in  the  re¬ 
maining  monitor, 
hazardous  radiation 
will  go  undetected. 
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Identification 


item 

NAME 


I  .D, 
NO, 


FUNCTION 


FAILURE 

MODE 


FAILURE 

EFFECT 


FAILURE 

RATE 

(XxlO6) 


REMARKS 


Course  Peak 
Detector 


19 


The  course  peak  detector 
receives  a  simulated 
course  position  input  sig¬ 
nal.  This  input  signal  is 
obtained  by  a  combination 
of  signals  obtained  by 
proximity  probes  at  the 
radiating  antennas.  The 
peak  detector  then  converts: 
the  RF  signal  into  a  low 
frequency  signal,  both  DC 
and  AC.  The  DC  is  repre¬ 
sentative  of  the  RF  power; 
the  AC  is  the  demodulated 
90/150  Hz  signal . 


Loss  of 
detected 
output 
signal . 


Loss  of  input 
to  monitor 
channels, 
causing  trans¬ 
fer,  then 
shutdown. 


1.115 

^20A 


Sensi ti vi ty 
Peak 

Detector 


22 


The  sensitivity  peak 
detector  receives  a  simu¬ 
lated  input  signal,  repre¬ 
sentative  of  the  course 
width  (displacement  sensi¬ 
tivity).  This  input  is 
obtained  by  a  combination 
of  signals  obtained  by 
proximity  probes  at  the 
radiating  antennas.  The 
peak  detector  converts  the 
RF  signal  into  a  low- 
frequency  signal,  both  DC 
and  AC.  The  DC  is  repre¬ 
sentative  of  the  RF  power; 
the  AC  is  the  demodulated 
90'150  Hz  signal . 


Loss  of 
detected 
output 
signal . 


Loss  of  input 
signal  to  the 
sensitivity 
moni tor 
channels , 
causing  trans¬ 
fer,  then 
shutdown. 


1.115 

k22 


Clearance 

Peak 

Detector 


25 


The  clearance  peak  detec¬ 
tor  receives  a  simulated 
clearance  input  signal. 

This  input  signal  is  ob¬ 
tained  by  a  combination  of 
signals  obtained  from  both 
proximity  probes  and  a 
sampled  signal  of  clearance! 
C+SB  and  SBO.  This  RF 
input  s  gnal  is  converted 
to  a  low  frequency  signal  , 
both  AC  and  DC.  The  DC 
is  representati ve  of  '.he 
clearance  RF  power;  the 
AC  is  the  demodulated 
90/150  Hz  clearance  signal., 
(Two  frequency  glideslope 
only.  No  clearance  signal 
from  the  one  frequency 
glideslope). 


Loss  of 
detected 
output 
signal . 


Loss  of  input 
signal  to 
clearance 
moni  tors , 
causing  trans 
fer,  then 
shutdown . 


i .  1 15 


'25 


TABLE  B.  Glideslope  Failure  Analysis 
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IdeNufica 

ITEM 

NAME 

TION 

I.D. 

NO. 

FUNCTION 

FAILURE 

MODF 

■  - 

FAILURE 

EFFECT 

FAILURE 

RATE 

(XxlO6) 

REMARKS 

Changeover 
and  Test 
Circuits 
(Peak  De¬ 
tector 
Excluded) 

10 

The  changeover  and  test 
circuits  provide  the  auto¬ 
matic  changeover  capability 
for  the  redundant  trans¬ 
mitting  units.  It  selects 
upon  command  from  the 
control  unit  which  trans¬ 
mitting  unit  radlites  into 
the  antennas. 

Inability 
to  change¬ 
over  trans¬ 
mitting 
units  by 
swi tching 
circuits. 

Any  failure 
on  the  main 
unit,  which 
should  only 
generate  a 
changeover  to 
STANDBY,  will 
result  in  a 
system 
shutdown. 

0.221 

^10A 

Essential ly 
renders  the 
standby  unit 
useless. 

Premature 
transfer  of 
transmi  tting 
units  to 
antennas  by 
switching 
circuits. 

If  in  MAIN,  a 
transfer  to 
STANDBY  will 
occur;  i f  i n 
STANDBY,  a 
transfer  to 

OFF  will  oc¬ 
cur.  This  is 
due  to  momen¬ 
tary  loss  of 
signal . 

0.134 

^108 

Essential  ly 
renders  either 
the  Main  or 
Standby  trans¬ 
mitters  useless. 

Total  loss 
(or  incor¬ 
rect  phasing' 
of  course 

SBO  signal 
of  the  ma-in 
uni  t. 

Alarms  on 
monitor  chan¬ 
nels  initiate 
a  transfer  +n 
standby  and 
system  oper¬ 
ates  un 
standby. 

0.2750 

x** 

uOD 
(2  freq. 
or  side 
band  ref. ) 

-  ■  - 

X~D  -  0.2851 

for  null  refer¬ 
ence  glideslope 

Loss  of  any 
one  or  all 
of:  CSE  C+SB, 
CSE  SBO,  CL 
C+SB,  (to 
main  trans¬ 
mi  tter ). 

(No  CL  in 
one  frequencj 
gl  ideslope). 

Immediate 
shutdown  after 
an  automatic 
t-ans  fer . 

1.951 

\oE 

\oEl 
0.466 
(Each  pin 
swi tch 
circuit) 

Olstri  bution 
Circuits 
(Antennas 
included) 

- 

11 

The  UHF  distribution  cir¬ 
cuits  combine  and  distr’butf 
the  CSE  C+SB,  CSE  S80,  and 

CL  C+SB  signals  to  the 
three  2-lambda  antennas. 

(No  CL  signal  from  null 
reference  or  side  band 
reference  glideslope). 

A  loss, 
degradation 
or  incorrect 
phasing  of 
any  signal 
feedings  any 
one  of  the 
three  an¬ 
tennas. 

Since  a  fai- 
1  ure  of  thi s 
type  is  inde¬ 
pendent  of 
the  transmit¬ 
ting  unit 
(signal  paths 
common  to 
both  trans¬ 
mitters),  an 
immediate 
shutdown  after 
an  automatic 
transfer  will 
occur. 

1.231 

\l 

(2  freq.  1 

<\l  ’  °- 
null  re  f . , 

Xu  =0.635 

side  band 
ref . ) 

NlA  " 
0.0101 

\iiA  i* 

failure  rate  for 
degradation  of 
SBO  signal  only. 

■i-  9 


to- 
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Identification 


FAILURE 

EFFECT 


FAILURE 


UHF  Recoil*  12  The  UHF  recombining  clr-  A  Toss, 
blnlng  cults,  receiving  Input  from  degradation 

Circuits  and  proximity  detector  probes,  or  Incorrecl 

Probes  (Peat  combine  the  CSE  C+S8,  CSE  phasing  of 

Detectors  S80  and  CL  C+SB  to  provide  an  signal 

Excluded)  inputs  to  monitors  for  feeding  any 

monitoring  the  course  posl-  of  the 
tion,  displacement  sensl-  monitors, 
tlvlty  and  clearance 
radiation.  (No  CL  signal 
from  one  frequency  glide- 
slope). 


The  actual 
field  radia¬ 
tion  is  unaf¬ 
fected. 
However,  the 
monitor  chan¬ 
nels  believe 
an  "out  of 
tolerance* 
condition 
exists  and 
initiate  a 
transfer; 
since  the 
circuitry  Is 
coaaon  to 
both  trans¬ 
mitting  units, 
the  monitors 
will  again 
sense  an  *out 
of  tolerance* 
condition  and 
Initiate  a 
shutdown . 


Provides  the  Input  for  the 
three  near  field  monitors. 


A  loss  or 
degradation 
of  signal 


The  erroneous 
(or  total 
loss  of)  slg- 


feedlng  the  nal  Is  pro¬ 
monitors.  cessed  as 

a  near  field 
alarm, 

resulting  In 
transfer  and 
shutdown  after 
the  nominal 
time  delay. 


Identification 
item  i.n. 

NAME  NO. 


TABLE  B.  fiLlDESLOPE  CAILURE  ANALYSIS 


FUNCTION 
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FAILURE 

FAILURE  FAILURE  RATE  REMARKS 

MODE  EFFECT  (AltlO  ) 


Battery 

Charger 


OC/DC  Con¬ 
verter 
No.  1  or  2 


Temp  Sensors 


The  battery  charger  sup 
plies  all  the  electric 
power  to  all  the  equip¬ 
ment  of  the  glldeslope 
station.  In  addition, 
to  supplying  the  power 
to  the  electronic 
equipment.  It  ensures 
that  a  full  charge  Is 
constantly  maintained 
on  both  batteries. 

In  the  event  of  a  pri¬ 
mary  power  failure, 
the  two  batteries 
(In  parallel)  supply 
the  necessary  DC  power. 


Each  of  the  DC/DC  con¬ 
verters  transforms  the 
+30  volts  nominal  Input 
voltage  to  3  different 
output  voltages:  +5.5V, 
-18V,  and  -50V.  The  out' 
put  voltages  of  each 
converter  are  respec¬ 
tively  used  in  parallel 
and  feed  both  modula¬ 
tors  In  the  system. 


The  temperature  sensors 
provide  alarm  Indica¬ 
tions  whenever  the 
temperature  exceeds  or 
drops  below  pre-set 
limits.  These  limits 
are  set  to  give  indi¬ 
cation  of  air-condi¬ 
tioner/heater  failures. 


Loss  of  System  will 
charge  out-  operate  3  hours 
put  voltage  on  batteries 
(note:  the  after  charger 
nominal  failure, 
output  vol¬ 
tage  is 
30  volts 
DC) 

Charger  No  immediate 
failure  in-  effect  on  sys- 
dlcation  tern  operation, 
only  while 
output  vol¬ 
tage  is 
still  main¬ 
tained  on 
charger. 

Loss  of  e-  No  immediate  I 


10.477 


qualize 


effect  on  sys- 


voltage  ca-  tern  operation, 
pabillty  - 
either  man¬ 
ual  and/or 
automatic. 

(note:  the 
equalize 
voltage  is 
a  nominal 
33  volts  DC 
thus  pro¬ 
viding  a 
"hard 


charge"  to 
the  bat¬ 
teries. 

Loss  of  an) 

Station  main¬ 

6.598 

one  or  all 

tains  normal 

x 

of  the  fol¬ 

operation  on 

lowing  vol¬ 

remaining  con¬ 

tages  : 

verter  voltage; 

+5.5V,  -18V 

Each  of  the 

-50  V. 

converter  vol¬ 
tages  is 
sensed  in  the 
control  unit 
for  abnormal 
tolerances. 

Failure 

Immediate  shut 

0.100 

producing 

down  of 

X , 

an  alarm 

gl ideslope 

17A 

indication. 

station. 

Not  hazardous; 
redundancy  of 
remaining  char¬ 
ger  and  the  two 
batteries  provide 
negligible  pro¬ 
bability  of 
station  shutdown. 


Not  hazardous; 
both  transmitters 
still  available 
after  downgrade. 


6.436  Not  hazardous; 

\  a  total  discharge 
rlC  of  the  batteries 
can  occur  only 
after  the  system 
is  operated  on 
batteries  for 
some  extended 
period  of  time 
(greater  than  3 
hrs).  System 
operation  on  bat¬ 
teries  is  a  result 
of  either  primary 
power  failure  or 
a  charger  failure. 


To  result  in  a 
station  shutdown, 
both  converters 
must  +ail . 


100  Temperature  alarm  is 
optional  for 
17A  CAT.  II. 


TABLE  B.  Glideslope  Failure  Analysis 
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j!  1  ~ 

,  j  I  DENT  I  FI  CA 

ITEM 

NAME 

TION 

I.D. 

NO. 

FUNCTION 

FAILURE 

MODE 

FAILURE 

EFFECT 

FAILURE 

RATE 

CXxNT) 

REMARKS 

^  Temp  Sensors 

(CONTINUED) 

.i 

1 

» 

17 

Failure  pro¬ 
ducing  no 
alarm  indica¬ 
tion. 

There  are  two 
sensors  (thermo 
couples}-  one 
for  high  temps 
and  one  for 
low  temps.  A 
failure  of  this 
type  In  one  of 
the  sensors  doe; 
not  affect  the 
operation  of 
the  other. 
Hence,  the  only 
effect  is  the 
loss  of  temp, 
monitoring  abi¬ 
lity  for  only 
one  temperature 
extreme  (high 
or  low). 

0.100 

^178 

Not  hazardous; 

If  temperature 
affects  system 
operation,  other 
alarms  will 
occur. 

|  Misalignment 

Detector 

I 

i 

•» 

i 

,  * 

i 

i 

;l 

jj 

j 

? 

* 

\ 

**  l 

49 

The  misalignment  de¬ 
tector  detects  perma¬ 
nent  misalignment  or 
deformation  of  the 
glideslope  antenna 
tower.  A  nominal  135 
seconds  delay  Is  pro¬ 
vided  to  process 
alarms,  since  tower 
vibrations  and  wind 
loadings  can  occur. 

Loss  of  align¬ 
ment  detection 
producing  an 
alarm. 

Erroneous  shut¬ 
down  of  the 
glideslope 
station. 

..  . 

4.915 

\9A 

Loss  of  align¬ 
ment  detection 
producing  no 
alarm. 

Although  the 
near  field  monl 
tors  detect 
field  radiation 
an  erroneous 
signal  radia¬ 
tion  can  still 
exist  since 
tower  misalign¬ 
ment  in  the 
horl zontal 
plane  chiefly 
affects  the 
width  of  the 
glide  path 
angle  and  the 
clearance 
radiation. 

2.354 

^98 
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1.  Probability  of  the  radiation  of  a  faulty  course  position  DDM  signal 

DUE  TO  EQUIPMENT  FAILURE. 

Calculation 


PrtF  m  (Prc 

C5t0DN  CF 


XP, 


INT, 


CSE, 


DON 


XP**rrXI‘»mKEM1|>*Pl 


FF, 


OELAY 


WHERE 

PCF" 


PMON  X  Pi  iff 
W"FF  CSE 


DON 


X  P 


INT, 


CSE 


DON 


Prr  Is  •  conditional  factor,  expressing 
the  fact  that  all  DON  Monitoring 
■ust  Da  lost  before  radiation  of  a 
faulty  DON  signal  In  order  for 
such  a  signal  to  be  undetected. 


INT 


(^hk _ •  MI)  +  *  MI 


CSEoom  CSE 


PMON  *  (XNON  *  W)2  +  (X*  +  X*  ) 

™"fF  W"FF  4SF  IE 

X  MI 


5XMTRr«  *  ^''XMTRr,r  *  ^ 
CStOON  C5E00H 


INT, 


rFF, 


CSE 


DELAY 


00H 


Pxntr  ♦  pint 

t5lOCN  C5tD0N 


INT, 


CSE 


MI 

X  Nwtr 


DON  •  70  SEC. 

•  70  sec. 


CSE 


DON 


P,HT  Is  the  probability  of 

‘  'CSEgfju  failure  of  course  Integral 
Monitoring  circuitry 
(hidden  failure). 


Pwt*  1*  the  probability  of  a  hidden 
W,"FF  failure  In  the  far  field  DON 
Monitoring  circuitry. 


P“™BE 


DON 


Is  the  probability 
that  an  actual  faulty 
course  DON  Mill  be 
radiated,  with  no  other 
paraneters  being 
affected. 


P«  Is  the  probability  that 
DELAY  an  actual  faulty  course 
DON  will  be  radiated 
within  the  70-second  delay 
of  the  far  field  Monitor 
alarms.  If  the  far  field 
Monitor  Is  Monitored  In 
the  control  tower. 


PFF 


DELAY 


0. 


MI  ■  Preventive  Maintenance  Interval  to  check  for  hidden  failures. 
(One  week  (168  hours)  Is  assumed). 

)■  2  *  IF  landings  are  not  allowed  with  Monitor  Mismatch 
Mismatch  condition  present  (A8N  light  In  tower). 

•  1  -  Otherwise. 
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1.  Probability  of  the  radiation  of  a  faulty  course  position  DDK  signal 
due  to  equipment  failure.  (CONTINUED) 

Failure  Rate  Data 
^HON^  "  ^“358  "  5.62  X  10  6 

^nonff  *  *  ***®2  X 10  6 

If  uycings  are  not  allomed  with  "ABN*  light  on: 

X*9F  ■  ■  0;  X1Mon  ■  +  Xls  «  1,140  X  ID'* 

Otherwise: 

\;9F  -  1.63  X  ID'6 


Kt  -  1.143  X  ID'6; 

\  V  * 

'mhon  *  1D1 

\  •  X 

/*NTRf— c  a38 

t5tOOW 

-  0.413  X  ID’6 

S. 

-  12.832  X  ID'6 

x* 

-  1.302  X  ID'6 

\zE 

-  0.070  X  ID'6 

\lFl 

-  1.209  X  10"6 

-  0.961  X  ID'6 

Si 

-  1.347  X  10*6 

XK»T.,„  *  B.13  X  10-* 
XjtD0M 
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1.  Probability  of  the  radiation  of  a  faulty  course  position  DPP  signal 
due  to  equipment  failure.  ((CONTINICO) 


If  landings  are  not  allowed  with  a  monitor  mismatch 

CONDITION  PRESENT: 


I  NT. 


CSE 


DON 


'MONpp 

PxMTR. 


CSE, 


DON 


CF 


FF, 


DELAY 


(5.62  X  ID*6  •  168  HR)2  +  (1.140  X  ID'6)  •  168  HR 
1.92  X  ID'4 

(4.422  X  ID'6  *168  HR)2  -  55.19  X  ID'8 

18.13  X  ID'6 *168  HR-  30.46  X  ID'4 

(1.92  X  ID'4)  (55.19  X  ID'8)  .  3  48  x  10-8 

30.46  X  ID'4  ♦  (1.92  X  ID-4)  (55.19  X  ID*8) 

1.92  x  1.92  X  ID'4  , 70/5500  *  X  W'6x  V 
30.46  ♦  1.92  168  HR 

4.667  X  ID*16 


(3.48  X  ID'8) (1.92  X  10'4)(55.19  X  10'8)(30.46  X  10'4)  ♦  4.667  X  ID'16 
1.12  X  10*2°+  4.667  X  10'lB  -  4.667  X  ID'16 


If  LANDINGS  ARE  ALLOWED  WITH  a  MONITOR  MISMATCH  CONDITION  PRESENT: 

PINT  -  (5.62  X  ID'6  •  168  HR)  +  (1.367  X  ID'6)  •  168  HR 
cseddh  4 

-  n.74  X  ID*4 

PnoNF)r  *  (4.422  X  ID’6  •  168  HR)  +  (1,63  X  IQ*6  +  1.143  X  10'6)  •  168  HR 

-  12.00  X  10'4 


P»mw  •  **  * 
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1.  Probability  of  the  radiation  of  a  faulty  course  position  DDK 
SIGNAL  DUE  TO  EQUIPMENT  FAILURE.  (CONTINUED) 


(1I.7H  X  in'4)  (12.09  X  10‘-4) - -  .  <,i66xiD* 

30.46  X  ID*4  +  (11.74  X  ID  )  Q2.09  X  ID"4) 


-  4.667  X  ID*16 

ff0£LAY 


(4.66  X  10"4)*(11.74  X  1Q*4)*G2.08  X  ]Q"4)*(30.46  X  ID"4) 
+  4.66  X  ID"16 
2.023  X  IQ'12 


( 
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2.  Probability  of  the  radiation  of  a  faulty  course  position  SDM  signal, 

I.E.,  INCORRECT  PERCENTAGE  MODULATION. 

Calculation 


“CSE, 


SDM 


Pep  X  PINT  X  Pxmik 

lmS0N/SEN  ",n,CSEsw 


WHERE 

PCF 


INT 


‘XMTR, 


CSE 


SOM 


S DM/SEN 

+  Pint 

‘"’SON/SEN 


PrF  1$  a  conditional  factor  expressing 
the  fact  that  all  monitoring  which 
will  detect  an  SDN  fault 

(PtNT  )  nust  be  lost  before 

SDM/SEN  transmission  of  a 
faulty  SDM  signal  (P^  ) 

In  order  for  such  a  CSES0M 
signal  to  be  undetected. 


3int  ‘W^NtON.  •MI)" 

SDM/SEN  ™"CSE  "^EN 


X 


1MON 


MI 


PtNT  Is  the  probability 

SDM/ SEN  of  a  hidden  failure 
In  the  Integral  monitoring  or 
control  unit  such  that  a  faulty 
course  SDM  signal  would  be 
undetected.  This  factor  ex¬ 
presses  the  fact  that  a  faulty 
course  SDM  signal  would  cause 
alarms  from  both  the  course  SDM 
Integral  monitors  and  the  sensi¬ 
tivity  Integral  monitors,  which 
share  the  same  processing  in  the 
control  uni  t  (  A.1N0N) 


XMTR 


CSE, 


X 


XMTR, 


SDM 


CSE 


MI 


SDM 


Pymto  Is  the  probability 

"CSE,-,  that  an  actual  faulty 
course  SDM  signal 
will  be  radiated,  while  no  other 
parameters  are  affected. 


MI 

m 


Preventive  maintenance  Interval  to  check  for  hidden  failures. 
(One  week  -  168  hours  -  Is  assumed.) 

2  -  If  landings  are  not  allowed  with  a  monitor  mismatch 
condition  present  (ABN  light  In  tower). 

1  -  Otherwise. 
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2.  Probability  of  the  radiation  of  a  faulty  course  position  SDP1  signal, 
I.E.,  INCORRECT  PERCENTAGE  MODULATION.  (CONTINUED) 


D 

s  1.93 

0.178 

‘  CF 

8.90  + 1.93 

P  rcc 

Ci£S0M 

=■  0.178  *(1.93  X 

ID*4)  • 

Pr$£ 

L:,tS0M 

»  3.082  X  ID'8 

If  LANDINGS  ARE  ALLOWED  WITH  A  MONITOR  MISMATCH  CONDITION  PRESENT: 


I  NT, 


SOM/SEN 


(5.62  X  10‘6  *168  HR)  +  (3.12  X  ID'6  -168  HR) 

+  (1.367  X  ID'6  *168  HR) 

9 .44  X  ID*4  +  5.24  X  10‘4  +  2.30  X  ID"4  *  1.70  X  ID'3 


rXHTR, 


CSE, 


SDN 


8.90  X  ID*4 


PCF  =  17.0  =  0.657 

8.90  + 17.0 

PCSE  -  0.657  •  (1.70  X  ID*3)  »(8.90  X  10*4)  =  9.918  X  ID*7 
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3.  Probability  of  the  radiation  of  a  signal  that  is  faulty  with  respect 
to  course  RF  power. 


Calculation 


rCS£, 


RF 


Pcf  ^  Pint  X  Pxhtr--- 


WHERE 

Per 


I  NT 


CSE. 


RF 


CSE 


+  Pt 


RF 


‘CSE, 


RF 


Pcf.  Is  a  conditional  factor,  express¬ 
ing  the  fact  that  RF  monitoring 
must  be  lost  befbre  radiation  of 
a  faulty  RF  signal  in  order  for 
such  a  signal  to  be  undetected. 


I  NT, 


CSE, 


RF 


PjHT  is  the  probability  of 

CS£Rf-  failure  of  course  RF  inte- 
f  qral  monitoring  circuitry 
(hidden  failure). 


'XMTR 


=  X 


CSE 


XMTR, 


RF 


CSE 


MI 


RF 


Pxhtd  1s  the  probability  that 

KCSER-  an  actual  faulty  signal 
with  respect  to  RF  power 
limit  will  be  radiated, 
with  no  other  parameter 
affected. 


fil  =  Maintenance  Interval  (168  hours  assumed) 


m 


2  -  If  landings  are  not  allowed  with  a  monitor  mismatch 
condition  present  (ABN  light  in  tower). 

1  -  Otherwise. 


Failure  Rate  Data 

XM0N  a  X*  -  5.62  X  ID"6 

"ur,FF  358 


If  landings  are  not  allowed  with  "AST  light  on: 

X. 


I  MON 

Otherwise: 

X 

1M0N 


\dz+\s  *  1.1MOX10-6 


=  ^01  +  ^is  *  1.367  X  I0‘6 
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3.  Probability  of  the  radiation  of  a  signal  that  is  faulty  with  respect 
to  court  RF  power.  (CONTINUED) 

Failure  Rate  Data  (CONTINUED) 


-  7.150X10' 

*  4.727  X  10* 
«  3.984  X  10' 

*  0.413  X  ID' 
=  1.302  X  10' 

*  1.209  X  10' 
=  0.961X10' 
=  1.347  X  ID' 


=  27.09  X  ID' 


>XMTR  =  27.09  X  10*6  *168  HR  =  45.51  X  10'4 
cserf 


IF  LANDINGS  ARE  NOT  ALLOWED  WITH  A  MONITOR  MISMATCH  CONDITION  PRESENT: 

PINT  =  (5.62  X  10'6  •  168  HR)2  +  (1.140  X  10*6  •  168  HR)  =  1.92  X  10*4 

11,1  rcc 
LbtRp 

PCF  =  L92  =  4,048  X  10'Z 

45.51  +  1.92 

PCSE  =  (4.048  X  10'2)(1. 92  X  10'4)(45.51  X  10'4)  =  3.553  X  10*8 


IF  LANDINGS  ARE  ALLOWED  WITH  A  MONITOR  MISMATCH  CONDITION  PRESENT: 

P twt  ■  (5.62  X  10*6  •  168  HR)  +  (1.367  X  10'6  •  168  HR)  =  11.74  X  10'4 


=  0.205 


45.51  +  11.74 


=  0.205  •  (11.74  X  10'4)  •  (45.51  X  10'4)  *  1.095  X  10'6 
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4.  Probability  of  the  radiation  of  a  signal  that  is  faulty  with  respect 
to  course  width  -  sensitivity  DDK. 


Calculation 


3$EN  =  ^  Pr nt 

itNDDM  If(rSEN 


X  P 


XMTR 


SEN 


WHERE 


rCF 


I  NT, 


I  NT, 


SEN 


Pxhtrsen  +  ^int$en 


SEN  '  *  ^"lMON  *  N 


P”T"SE»  '  A""'*SE»  '  W 


PCE  Is  a  conditional  factor,  as 
previously  described. 


PIKT  is  the  probability  of  a 
"  SEN  failure  of  the  sensitivity 
DDM  integral  monitoring 
circuitry  (hidden). 


XMTR, 


is  the  probability  that 
SEN  a  signal  that  is  faulty 
with  respect  to  course 
width  will  be  radiated, 
with  no  other  parameter 
being  affected. 


MI  =  Maintenance  interval  (168  hours  assured) 

IH  - 


If  landings  are  not  allowed  with  a  monitor 
mismatch  condition  present  (ABN  Tight  in  tower). 


1  -  Otherwise. 


Failure  Rate  Data 


/V*0NSEN  ^38B  ^39B 


3.12  X  10' 


If  LAfCINGS  ARE  NOT  ALLOWED  WITH  "4BT  LIGHT  ON: 

\mon  -  1.140  xr6 
Otherwise: 

\mon  »  1.367  X  IQ'6 


c-ii 


•i<4*  i 


i 


TABLE 
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R.  Probability  of  the  radiation  of  a  bi«jl  that  is  faulty  nith  respect 
TO  COURSE  WIDTH  -  SENSITIVITY  DOM.  (CONTINUED) 

Failure  Rate  Data  (CONTINUED) 


X 


xhtr, 


SEN 


^G1 

MzO 

x;; 


0.5234  X  10*' 


=  0.065  X  10" 
=  0.229  X  10" 


-6 


X 


XHTR, 


SEN 


=  0.817X10 


.-6 


XHTR 


SEN 


-  0.817  X  IQ"6  - 168  HR  -  1.37X10' 


IF  LAND  I NGS  ARE  NOT  ALLOWED  WITH  A  MONITOR  MI  SWATCH  CONDITION  PRESENT 

.  C  _ _ _  *  on  \.  -lft-A 


I  NT 


SEN 


_  (3t]2  X  10'6  *  168  HR)2  +  (1.140  X  ID'6  •  168  HR)  -  1.52  X  10 


CF 


«  0.583 

1.37  +  1.92 


PSEN  =  0.583  •  (1.92  X  10*4X1.37  X  10'4>  -  1.534  X  10 


-8 


DOM 


IF  landings  are  allowed  with  a  monitor  mismatch  condition  present: 
P  -  (3.12  X  10'6  •  168  HR)  +  (1.367  X  10'6  *  168  HR)  *  7.54  X  10'4 


CF 


SEN, 


7.54  =  o.846 

1.37  +  7.54 


=  0.846  *  (7.54  X  10'4X1.37  X  10*4)  =  8.753  X  10 


DOM 
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5.  Probability  of  the  radiation  of  a  faulty  clearance  signal  (BDf*,  SDfl  or  RF). 
Calculation 


Pci  x  Pcf  %  Pintcl  ^  P xntrcl 


Pxmtrcl  +  Pintcl 


Pint.,  =  ^MONri  *  +  ^imon*M1 


pxmtrcl  =  ^xmtrcl  *  ^ 


P-_  is  a  conditional  factor, 
L  as  previously  discussed. 


p.„T  is  the  probability  of  a 
‘"  CL  hidden  failure  of  the 
clearance  monitoring 
circuitry. 


P*ktr  ,s  the  probability  that  the 
n  kCL  radiation  of  the  clearance 
signal  will  be  faulty  with 
respect  to  DON,  SOM  or  RF 
parameters . 


Maintenance  interval  (168  hours  assumed) 


2  -  If  landings  are  not  allowed  with  a  monitor  mismatch 
condition  present  (ABN  light  in  tower). 

1  -  Otherwise. 


Failure  Pate  Data 


A43B  =  ^448  =  5.78  X  10 


If  landings  are  not  allowed  with  "ABN"  light  on: 


\1M0N  =  1.140  X  10- 


Otherwise: 


\mon  *  1*^67  X  10 


C- 1  3 
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5.  Probability  of  the  radiation  of  a  faulty  clearance  sisnal  (DDfl, 
$D*  or  RF). 

Failure  Rate  Data  (CONTINUED) 

X¥MTO  :  -  1.446  X  ID*6 


3 

1.446  X  ID*' 

3 

7.150  X  10*' 

3 

10.250  X  10*' 

3 

1.552  X  10*( 

S 

0.388  X  10*' 

= 

0.756  X  10*' 

^12F1 

3 

1.209  X  10*' 

\?E 

= 

0.070  X  10*' 

= 

0.194  X  10*' 

= 

0.615  X  10*' 

3 

2.631  X  10*' 

Xxntrcl 

3 

26.26  X  10*6 

P/htrcl  =  26.26  X  ID-6  •  168  HR  -  44.12  X  ID*4 


If  landings  are  not  allowed  with  a  monitor  mismatch  condition  present 
PrNT  *  (5.78  X  I0"6  - 168  HR)2  ♦  (1.140  X  ID"6  •  168  HR)  -  1.32  X  10*4 


PCF  =  “  4.17X10*" 

44.12  ♦  1.32 

P„  •  (4.17  X  10"z) <1.92  X  10-4) (44,12  X  IQ*4)  *  3.551X10* 


If  landings  are  allowed  with  a  monitor  mismatch  condition  present: 


(5.78  X  10*6  •  168  HR)  +  (1.367  X  ID*6  •  168  HR)  -  12.01  X  ID* 


44.12  +  12.01 

PP1  -  0.214  •  (12.01  X  10*4)(44.12  X  10*4)  -  1.133  X  10* 
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6.  Probability  of  the  radiation  of  a  signal  giving  a  faulty  course  position 

AT  THE  FAR  FIELD  ONLY. 


CALCULATION 


PCF  X  ^MONpp  X  PFF( 


P  4*  P 

"*w  ^CSE^ 


P  It  a  conditional  factor,  as  previously 
**  discussed. 


P,-*.  *  (X.^  *  MI)**  +  (\4oB  ♦  X1F)X  MI  P^  Is  the  probability  of  a  hidden 

,WTF  ruTF  i'*Vf  failure  In  the  far  field  DOM  monitor¬ 

ing  circuitry. 


Is  unpredictable,  being  a  function 
Fre  of  runway  activity. 


_  m  0  assumed  for  the 
Fcsedch  b4S*  case> 


.  70  sec 
30  SEC 


P  Is  the  probability  that  the  ILS 

"CSE—  signal  will  be  faulty  with  respect 
to  DON  tolerance  at  the  far  field 
due  to  external  runway  disturbances 
during  the  critical  landing  phase 
of  a  landing  (assumed  to  be  30 
seconds  for  the  base  case). 

P  is  the  probability  that  the  ILS 

^ONLYnc.-v  signal  will  be  faulty  with  respect 
DELAY  to  DON  tolerance  at  the  far  field 
due  to  external  disturbances 
during  the  70  second  delay  of  the 
far  field  monitor  alarm. 


RftIUJRE  ROTE  DATA 

^MONpp  *  4<422  X  10'6 

IF  LANDINGS  ARE  NOT  ALLOWED  WITH  "ABN"  LIGHT  ON: 

^49B  "  Ne  "  0 

3  W.422  X  10*6  •  168  HR)2  -  5.519  X  10*7 

^Vf 

Otherwise: 

^98  -  1.63  X  ID’6 
Xfe  ■  1.143  X 10'6 

PfCNpp'  (4<1C2  X  10’6  *  I®  HR)  +  (1.63  X  10’6  ♦  1.143  X  10'6)  •  168  -  12.09  X  10'4 


(Base  Case) 


■  t*.  wr*  sr 
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1.  Single  failures  in  the  localizer  equipment  that  cause  immediate 

LOCALIZER  SHUTDOWN. 


Calculation 


-^single  failures  XTe 
Single  failures1 


•  1.829  X1D*6 

Km 

-  2.962  X  ID'6 

Kn 

-  1.039  X  ID'6 

\*AA 

-  0.88  X  ID-4 

^2F 

-  2.417  X  ID*6 

\3 

-  0.916  X]0'6 

-  1.116  X10*6 

\s 

-  1.347  X10'6 

\a 

*  0.194  X  10'6 

-  0.311  X  ID'6 

-  0.615  X  ID*6 

^34F 

-  0.137  X  ID'6 

\*S 

-  0.290  X  ID'6 

\«H 

*  0.262  X  ID'6 

K* 

-  1.845  X  ID'6 

\9M 

-  0.690  X  ID'6 

\9A 

-  0.100  X  ID'6 

\oh 

-  0.789  X  ID'6 

\oB 

-  0.386  X  ID'6 

-  0.789  X  ID'6 

S3B 

-  0.386  X  10'* 

^26A 

-  0.789  X  10-6 

\sB 

-  0.386  X  10'6 

LX -20.537  X10*6 

Jc  ■  Critical  Landing  T1m  Interval 


FOR  A  CRITICAL  INTERVAL  OF  50  SECONDS: 

Ps  -  20.537  X  10‘6  *30  sec  -  (20,537  X  10'6).  30/^  HR' 
Ps  -  1,711  X  10"; 


-  ,  W  vw4  •  J| 


i)?*-  W"'  ■ 


I 
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2.  Failure  in  the  main  transmitting  unit  and  a  failure  in  the  standby 

TRANSMITTING  UNIT.  BOTH  FAILURES  OCCUR  WITHIN  THE  CRITICAL  PHASE 
OF  THE  LANDING/  AND  IT  IS  IMMATERIAL  WHICH  FAILURE  OCCURS  FIRST. 

Calculation 
pab  *  Pa+t  X  ?B 

WHERE 

p  T  Is  the  probability  of  loss  of  the  main  transeittlng  unit  or  spontaneous 
transfer  due  to  single  failures  In  the  control  unit. 

P„  Is  the  probability  of  loss  of  the  standby  transartttlng  unit. 

?AB  *  [<K*  ^iai*  -Tc]  *TC) 

-  3.18  X  ID-6 


\a 

-  1.446  X1D*6 

-  1.446  ;:io*6 

\o 

-  4.727  X  ID'6 

-  4.72 7  X  ID'6 

\2 

-  9.984  X  ID'6 

•  9.904  X  ID*6 

-  7.150  X  ID'6 

^78 

-  7.150  X  ID'6 

\a 

-  1.446  X  ID'6 

K 

-  1.446  X  ID’6 

-  7.150  X  ID'6 

\b 

-  7.190  X  10‘6 

S 

-  1D.250  X  id'6 

\o 

-  10.250  X  ID*6 

-  2.651  X  ID'6 

\s 

-  2.631  X  ID’6 

*>A 

•  2.413  X  ID*6 

\>A 

-  2.413  X  ID'6 

^38 

-  0.413  X  ID'6 

-  0.413  X  ID'6 

Ajc 

-  1.453  X  ID*6 

\c 

-  1.453  X  ID'6 

>Sf 

-  12.832  X  ID'6 

-  12.832  X  ID'6 

^36 

-  1.302  X  ID*6 

-  1.3T2X1D'6 

-  1.552  X  10*6 

\h 

-  1.552  X  ID'6 

Ni 

-  0,388  X  ID** 

-  0,388  X  ID'6 

(CmTI’UED) 


(CWltEH) 
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2.  Failure  in  the  main  transmitting  unit  and  a  failure  in  the  standby 
transmitting  unit.  Both  failures  occur  within  the  critical  phase 

OF  THE  LANDING*  AND  IT  IS  IMMATERIAL  WHICH  FAILURE  OCCURS  FIRST. 
Calculation  (CONTINUED) 


^30 

-  0.756  X  ID-6 

^8J 

-  0.756  X  ID"6 

\a 

-  3.949  X  ID*6 

Kia 

-  3.949  X  10‘6 

\b 

-  13.134  X  10‘6 

\lB 

-  13.134  X  ID*6 

\2B 

-  0.134  X  ID'6 

-  0.134  X  ID*6 

\2D 

-  0.070  X  ID'6 

X. 

-  83.110X10'' 

\2E 

-  0.070  X  10  6 

N 

=  83.250  X  IQ*6 

Pw  -  (86.430  X  ID'6  •  50  sec)*  (83.110  X  10*6  *  30  sec) 


PA8 


.13 


4.988  X  10' 


) 
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V 

3.  A  HIDDEN  FAILURE  IN  THE  EQUIPMENT  WHICH  ESSENTIALLY  INHIBITS  THE 
TRANSFER  CAPABILITY  OF  THE  TRANSMITTING  UNITS  AND  THEN  A  FAILURE  IN 
THE  MAIN  TRANSMITTING  UNIT. 

Calculation 

p,c  ■  >a_  x  CP,  x  Pc> 

\  \ 


WHERE 

1$  the  probability  of  the  loss  of  the  auln  transmitting  unit. 

Pg.  1$  the  probability  of  the  loss  of  the  transfer  to  standby  capability. 

XC  Is  the  conditional  probability  that  the  hidden  failures  modes  (\_) 
\  \  will  occur  prior  to  a  main  transmitting  unit  failure  that  L 

'A  /NC  initiates  a  transfer  (X*K 

Pa  *  \*TC  *  (83.25  X  ID'6)  *30  sec  -  6.94  X  10' 7 
pc  «  -  \  -168  HR 


\  m  Nd3J 

T  +  NzA 

\‘03 

m 

1.730  X  ID'6 

\r 

a 

0.545  X  10'6 

\zA 

M 

0.22  X  IQ'6 

\ 

• 

2.49  X  ID'6 

Pc  -  (2.49  X  10"6)  •  168  -  4.192  X  ID'4 

PAC  -  ,76S  •  (4.192  X  ID'4)  •  (6.94  X  ID'7)  -  8.461  X  10' 12 

2.49  ♦  83.25 

f  " 

1 


C-l  9 


I 


1 


f 


V< 
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4.  A  FAILURE  THAT  WILL  RESULT  IN  THE  GENERATION  OF  A  FAULTY  COURSE  DDM, 
SD.1y  OR  RF  PARAMETER  FROM  THE  STANDBY  TRANSMITTING  UNIT/  FOLLOWED  BY 
ANY  FAILURE  IN  THE  MAIN  TRANSMITTER  OR  CONTROL  UNIT  WHICH  CAN  INITIATE 
A  TRANSFER. 


Calculation 


r$TBY 


CSE 


CSE 


X  Ps  X  PA+T 

bcse  *  ' 


CSE 


WHERE 


PR  Is  the  probability  of  a  failure  that  will  result  In  the  generation 

“CSE  of  a  faulty  course  DDM,  SOM,  or  RF  parameter  fro*  the  standby  transmitter. 

P,+T  Is  the  probability  of  loss  of  the  main  transmitting  unit  or  spontaneous 
A  transfer  due  to  single  failures  In  the  control  unit  (previously  identified). 

X. 


"CSE 


K  * 


K 


1AI 


B 


CSE 


is  the  conditional  probability  that  the  standby 
transmitter  failure  modes  (XB  )  will  occur  prior 


to  a  transmitter  or  control 
"A 


CSE 


Initiates  a  transfer  (Xt  ♦  XjA1). 


unit  failure  that 


X. 


"CSE 


^7B 

»  7.150  X  10*6 

-  4.727  X  ID*6 

-  9.984  X  ID*6 

-  0.413  X  ID*6 

»  12.832  X  10*6 

-  1.302  X  ID’6 

Xg 

“CSE 

»  36.41  X  10*6 

\  +  \ai 


"CSE 

^A+T 


r$TBY 


CSE 


83.25  X  10'6  +  3.18  X  10*6- 


86.43  X  10 


-6 


CSE 


168  HR  —  61,16X10* 


(XA  +  XJA1)  .30  sec  -  0.720  X  ID-6 

•  (61.16  X  IQ*4)  •  (0.720  X  10*6) 


86.43  ♦  36.41 


1.305  X  10' 


,-9 


C-20 
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5.  A  FAILURE  THAT  WILL  RESULT  IN  THE  GENERATION  OF  A  FAULTY  COURSE  WIDTH  (DWf) 
PARAMETER  FROM  THE  STANDBY  TRANSMITTING  UNIT,  FOLLOWED  BY  ANY  FAILURE  IN 
THE  MAIN  TRANSMITTER  OR  CONTROL  UNIT  WHICH  CAN  INITIATE  A  TRANSFER. 


Calculation 


{k  •  O 


X  PB  XPA+T 
"sen  *  1 


Po  Is  the  probeblllty  of  a  failure  that  will  result  In  the  generation  of 
"SEN  a  faulty  course  width  (DOM)  parameter  froe  the  standby  transmitter. 

PA+T  -  previously  Identified 


(  BSEN  \  II  i 

w  •  •  \J  “ p 


a  conditional  probability  factor, 
previously  discussed 


\ru  u  \>b  +  \f  +  \ 


VWi 


0.413  X  ID'6  +  12.832  X  10‘6  +  1.302  X  ID*6  -  14.55  X  10*6 


36.43  X  1U* 


PB  »  \  •  168  HR  -  24.44  X  10'4 

“sen  “sen 

Pa+t  -  (\+XIai  )  *-30  sec  -  0.720  X  10* 


_ *(24.44  X  1D*4)*(0.720  X  10*6)  -  2.536  X  ID*10 


86.43  +  14.55 
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6.  A  FAILURE  THAT  WILL  RESULT  IN  THE  GENERATION  OF  A  FAULTY  CLEARANCE  DDM, 

SDH  OR  RF  PARAMETER  FROM  THE  STANDBY  TRANSMITTING  UNIT,  FOLLOWED  BY  ANY 
FAILURE  IN  THE  MAIN  TRANSMITTER  OR  CONTROL  UNIT  WHICH  CAN  INITIATE  A  TRANSFER. 

Calculation 


WHERE 


P_  Is  the  probability  of  a  failure  that  will  result  In  the  generation  of  a 
°CL  faulty  clearance  DOM,  SDH  or  RF  parameter  from  the  standby  transmitter. 


PA+T  -  previously  Identified 


Is  a  conditional  probability  factor, 
as  previously  discussed. 


II 

X 

IQ*6 

x» 

-  7.150  X 

10*6 

\o 

=10,250  X 

10*6 

X« 

=  2,631  X 

10*6 

\« 

=  1.552  X 

10-6 

=  0.388  X 

ID*6 

\o 

=  0.756  X 

10-6 

\ 

BCl 

11  1 
£ 

10*6 

X,*XU1  -  86.13  X  ID'8 

P.  >  \  •  168  HR  *  10.61  X  10'6 

BCl  bcl 

PA+T  -  (\ *  Aui  )  •  30  sec  =  13.720  X  IP*6 

PSTBy  =  24.17  (40.61  X  10*6)  (0,720  X  10**’)  ■  6.591  X  10* 10 

CL  86.43  +  24.17 


C-22 
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7.  A  FAILURE  THAT  WILL  RESULT  IN  THE  GENERATION  OF  A  FAULTY  I.D.  SIGNAL  (OR  LOSS) 
OF  THE  STANDBY  TRANSMITTING  UNIT,  FOLLOWED  BY  ANY  FAILURE  IN  THE  MAIN  TRANS¬ 
MITTER  OR  CONTROL  UNIT  WHICH  CAN  INITIATE  A  TRANSFER. 


Calculation 


rSTBY 


ID 


WHERE 


/  \ 
\VSi  *  \J 


XP,.T 


p.  is  the  probability  of  a  failure  that  Mill  result  In  the  generation  of  a 

bID  faulty  1.0.  signal  (or  loss)  of  the  standby  transmitter 


PA+T  -  previously  discussed 


(\  + 


X 


'ID 


1A1 


_ Visa 

id' 


conditional  probability  factor,  as  previously  discussed. 


ID 


*  1.446 

X10‘6 

-  4.727 

X  ID'6 

-  9.984 

X  ID'6 

\u 

-  3.949 

X  ID*6 

\lB 

*  13.134 

X10‘6 

\bB2 

-  0.338 

X  ID*6 

X 


'ID 


33.58  X  ID 


V  XIai  *  8.643  X  IQ'6 

PB  =  K  •  168  HR  *  56.41  X  10'4 

“id  ^10 

PA+T  -  (\  ♦  X  *A1  )  •  30  SEC  -  0.720  X  10'6 

Pstby  -  33.58  (56.41  X  10*4)(0.72C  X  10' 6)  -  1.135  X  10" 9 

ID 

36.43  +  33.58 


C-  23  i 
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8.  A  FAILURE  THAT  WILL  RESULT  IN  THE  GENERATION  OF  ANY  FAULTY  PARAMETER 
OF  THE  STANDBY  TRANSMITTING  UNIT,  FOLLOWED  BY  ANY  FAILURE  IN  THE  MAIN 
TRANSMITTER  OR  CONTROL  UNIT  WHICH  CAN  INITIATE  A  TRANSFER. 


Calculation 


X  (Xfi«168)  XP. 


p  -  previously  Identified 


^8  Is  a  conditional  probability  factor, 

t - r  T  as  previously  discussed. 

\  *  \ai  +  AB 


X8  =  83.110  X  10"6 

K  *  Km  =  86143  x  ^ 

XB  •  168  HR  =  139. SZ  X  10'4 
p.  t  =  C  X.  +  X*A1)  •  30  sec  ■  0.720  X  10' 


PSTBY  *  — SLUQ - (139.62  X  10’4)  •  (0.720  X  10  ) 

86.43  +  83.110 


5.071  X  10' 


I 
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9.  Power  supply/converter  failures  leading  to  a  shutdown. 
Calc ulat ion 

Pps/CONV  *  ^CONV^JJ,  +  PcONYpp  +  PPSF[r 


WHERE 


Prntiu  Is  the  probability  of  both  main  converters  falling. 
umMAIN 

PcONV  1 5  the  probability  of  both  far  field  monitor  converters  falling. 

P„.  Is  the  probability  of  the  main  power  of  the  far  field  monitor  falling. 

10  FF 


Pconvmain 

II 

x  720  HR1  *(\18  X  30  sec) 

PC0NVff 

=  (X5U  X  720  HR)  •  (\52A  X  30  sec) 

Pps 

rsFF 

31  (\oB  +  ^•BATTpp^  X  720  HR1  •  (\oA 

X  30  sec) 

\l  > 

-  Xj8  -  6.598  X  ID'6 

Nil  A 

-  Xg2A  -  2.412  X  10'6 

NoA 

*  5.790  X  10'6 

\oB 

=  0.519  X  10-6 

XBATT 

=  8.0  X  10'6 

FF 

(Assuaed) 

PPS/C0NV 

-  2.61  ; 

X 10'10  ♦  3.49  X  10'11  +  2.96  X 

10'10  -  5.920  X  10 

-10 


OF  14 


h  monthly  preventive  maintenance  cycle  Is  assumed  for  power  supply  systems. 
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10.  Both  course  /id  monitors  failing,  producing  an  alarm. 


Calculation 

If  landings  are  not  aluj*d  with  a  monitor  mismatch  condition  present; 
Wo  “  <*cse/io'tc)2  (Case1) 


Otherwise: 

Pcse/10  -  (Xcse/io‘168HR)  (Xcse/id*V  (Case2) 

\sE/I0  *  XCSE/IDl  *  XCSE/I02 

Wio:;  -  13.539  X  10-6 

\3AM  =  1.914  X  IQ'6 
^cse/id,*  ^43  X  10 


Wo  -  <K.*  X  10‘6 
Wo  =  X  ^ 


30  sec)2  *  1.657  X  10  14 

1R8  HR)  (15.45 X  ID'6  •  50  sec)  =  3.341  X  10  10 


(Case  1) 
(Case  2) 


".-26 
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11.  Both  sensitivity  monitors  failing,  producing  an  alarm. 

Calculation 

If  landings  are  not  allowed  with  a  monitor  mismatch 

CONDITION  PRESENT: 

fa  ■  <\e»  •  (MSE 1) 

Otherwise: 

P sen  *  <\en  •16BHR){\en  -TC)  <CASE2) 

\en  "  NeNj  *  \en2 

^"SENj  -  ^A  -  *S*  X  XT* 


PSEN  -  (9.596  X  10'6  •  50  SEC)2  -  6.594  X  10'15  (CASE  1) 

PS£N  =  (9.596  X  10'6  •  168  HR)(9.596  X  10'6  •  30  sec)  -  1.289  X  IQ*10  (OSE  2) 


C-27 
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12.  Both  clearance  monitors  failing,  producing  an  alarm. 
Calculation 

If  landings  are  not  allowed  with  a  monitor  mis^tch 
condition  PRESENT: 


PAGE  13  OF  14 


<\i  •  lc>! 


(CASE  1) 


OnCRWISE: 


=  (\L  •  168  HR)(\U  •  Tc)  (CASE  2) 


\Li  =  \iz 


v  *  \* 

CL  j  «3A 


14.509  X  ID" 


PCL  *  (14.509  X  10'6  •  30  sec)2  -  1.461  X  10 


(CASE  1.) 


PCL  -  (14.509  X  10'6  •  168  HR)  (14.509  X  10'6  •  30  sec)  «  2.947  X  10‘10  (CASE  2) 


TABLE  C-2.  Localizer  Shutdown  Probabilities 
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13.  Both  far  field  monitors/receivers  failing,  producing  an  alarm. 
Calculation 

Tf  landings  are  not  allowed  with  a  monitor  mismatch 

CONDITION  PRESENT: 

PFF  .  (\ff.tc)2  (CASED 

Otherwise: 

Pff 

\f 


Pff 

Pff 


C-29 


-  (Xpp‘168  HR)  (>Vf*Tc>  (CASE  2) 

*  \f1  *  Vf2 

Vi:  ^6B  -  11.098  X  ID'6 

X53  -  6.879  X  10'6 

X49„  *  0.022  X  ID'6 

\Fi  -  18.00  X  ID'6 

-  (18.00  X  10"s- 30  sec)2  -  2.250  X  ID*14 

-  (18.00  X  10*6  - 168  HR)«(18.00  X  10'6  - 30  sec)  -  4.536  X  10*10 


14  of  14 


(CASE  1) 
(CASE  2) 


i 


APPEHDIX  D 

6LI0ESL0PE  FAULTY  SIGNAL  AND  SHUTDOWN 
PROBABILITY  CALCULATIONS 
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1.  Probability  of  the  radiation  of  a  faulty  course  position  (path  angle) 
DDM  SIGNAL. 

Calculation 


rCSE 


DON 


Pcf  X  Pjnt 


XP**.  X  PXMT, 

CSE0W  "°V  W,T*CSEdw 


where 

PCF 


P"°V  •  PlNT^ 


DOM 


'XMTR, 


CSE 


+  <P. 


DON 


"V^cse 


DON 


Pf,  Is  i  conditional  factor, 
expressing  the  fact  that  all 
00N  Monitoring  must  be  lost 
before  radiation  of  a  faulty 
DON  signal  In  order  for  such 
a  signal  to  be  undetected. 


I  NT 


CSE, 


DON 


<^nwcse*MI>"+  Vw ON  *« 


Pint  <s  the  probability  of 

ln,CSEnrai  failure  In  the  course 
DOM  Integral  monitor¬ 
ing  circuitry. 


p*>v 


♦  Xu>  •m]'" * <x;E 


•  MI) 


Pie»u  Is  th*  probability  of  a 
W"NF  hidden  failure  In  the  near 
field  DDM  monitoring 
circuitry. 


rXMTR 


CSE 


X, 


•XNTR, 


DON 


CSE 


MI 


DOM 


P»TR  1s  the  probability 

CSEnrM  that  an  actual  faulty 
uun  course  DON  will  be 
radiated,  while  no 
other  parameters 
are  affected. 


MI  ■  Preventive  maintenance  Interval  to  check  for  hidden  failures. 
(One  week  -  168  hours  •  Is  assumed.) 


m 


If  landings  are  not  allowed  with  a  monitor  mismatch  condition 
present  (ABN  light  In  tower). 


1  -  Otherwise. 


TABLE  D-l.  Glideslope  Faulty  Signal  Radiation  Probabilities 
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1.  Probability  of  the  radiation  of  a  faulty  course  position  (path  angle) 

DDM  signal.  (CONTINUED) 

Failure  Rate  Data 

V.lsi  ■  ■  5'®  *  »'6 

If  lawings  are  not  auj»€D  with  "ABN"  light  on: 

*  Ms  ■ 

Otherwise: 

Km  >  M».  *  Ms  -  1.3»  x  v* 


\wNmf  *  ^43B  *  \aB 

-  3.822  X  ID'6 

XJJ  =  0.262  X10'6 

X*E  -  1.143  X  10'6 

Nehtr  : 

“FdON 

\3B  -  0.427  X  ID'6 

c. 

- 12.832  X  ID"6 

K 

-  1.332  X  ID'6 

\oD 

-  0.070  X  ID'6 

\oEl 

-  0.466  X  ID'6 

-  1.231  X  ID'6 

^XNTRcse 

-  16.33  X  ID'6 

DON 

0-3 
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1.  Probability  of  the  radiation  of  a  faulty  course  position  (path  angle) 
DDM  signal  (CONTINUED) 

If  LANDINGS  ARE  NOT  ALLOWED  WITH  A  MONITOR  MISMATCH  CONDITION  PRESENT: 


(5.065  X  ID'6  *168  HR)2  +  (1.140  X  ID*6  *168  HR) 
7.24  X  ID*7  +  1.915  X  ID*4  -  1.92  X  ID*4 


[3.822  X  10*6  ♦  0.262  X  ID'6)  *168  Hr]2  +  (1.143  X  10"6  -  368  HR) 

/■  ti  v  in- ^  i  rr>  v  in-*  _  i  m  u  in-* 


4,71  X  10  +  1.92  X  ID  -  1.92  X  ID' 


16.33  X  10‘6  •  168  HR  *  27.43  X  ID'4 


(1.92  X  ID'4)2 

27.43  X  ID'4  +  (1.92  X  ID*4)2 


1.34  X  ID* 


(1.34  X  ID*5)  •  (1.92  X  ID*4)  •  (1.92  X  ID*4)  •  (27.43  X  ID*4) 
1.370  X  10* 15 


If  LANDINGS  ARE  ALLOWED  WITH  A  MONITOR  MISMATCH  CONDITION  PRESENT: 

PtNT  -  (5.065  X  iO*6  ’158  HR)  +  (1.367  X  ID*6  *168  HR) 

*  ^ 'esc 

00"  -  8.51  X  ID*4  +  2.296  X  ID*4  *  1.08  X  ID*3 
PmH  -  (4.084  X  ID*6  *168  HR)  +  (1.143  X  ID*6  •  168  HR)  -  8.78  X  10*4 

NF 


27.43  X  ID* 


(1.08  X  ID*3)  « (8.78  X  IP*4) 

27.34  X  ID*4  ♦  (1.08  X  ID'3)  •  (8.78  X  ID*4] 


3.46  X  10* 


(3.46  X  10*4)  •  (1.08  X  ID*3)  •  (8.78  X  10*4)  •  (27.43  X  10*4) 


9.001  X  ID* 


D-4 
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2.  Probability  of  the  radiation  of  a  faulty  course  position  SDK  signal, 

I.E.,  INCORRECT  PERCENTAGE  MODULATION. 

Calculation 


Prer  “  Prr  X  Ptmt  X  Pnrrp 

C5ESW  IF  II"Sm/5EN  W^CSE, 


SON/SEN 


P  YMTp  +  P{  WT 

",,RCSEsw  intsom/sen 


Is  a  conditional  factor 
expressing  the  fact  that  all 
■onltorlng  which  will  detect 
an  SUM  fault  (PtMT  ) 
11,1  SON/SEN 
Must  be  lost  before  trans- 
Mission  of  a  faulty  SOM 
signal  (Pj^  )  can  go 

undetected.  ^SON 


SOM/SEN 


Ptwt  Is  the  probability  of 

‘"'SDN/SEN  a  hidden  failure  In 

the  Integral  Monitoring 
or  control  unit  such  that  a 
faulty  course  SDN  signal  would 
be  undetected.  This  factor  ex¬ 
presses  the  fact  that  a  faulty 
course  SDN  signal  would  cause 
alarns  from  both  the  course 
SON  Integral  Monitors  and  the 
sensitivity  Integral  Monitors, 
which  share  the  sane  processing 
In  the  control  unit  ( A.JWM,  •  W ) • 


»  Is  the  probability  that 
CSEcim  an  actual  faulty  course 
SOM  signal  will  be  ra¬ 
diated,  while  no  other 
paroeeters  are  affected. 


Preventive  Maintenance  Interval  to  check  for  hidden  failures. 
(One  week  -  166  hours  -  Is  asstaeed.) 


2  -  If  landings  are  not  allowed  with  a  Monitor  Mlseetch  condition 
present  (ABN  light  In  tower). 

1  -  Otherwise. 
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2.  Probability  of  the  radiation  of  a  faulty  course  position  SDM  signal, 
I .Ei,  INCORRECT  PERCENTAGE  MODULATION.  (CONTINUED) 

Failure  Rate  Data 


X  =  x* 
/xmonCS£ 

^m°n$en 


X*  -  5.065  X  ID'6 

,S35B 

\*  =  3.121  X  ID'6 

^388 


If  landings  are  not  allowed  with  "ABU"  light  on: 
\mON  =  \o2  +  \s  =  l*!4®  X  ID  6 


OtfcrwisE: 

Kwh  -  \*D1  +  *  1.367  X  ID'6 


X 


XMTR 


CSE 


SOH 


38 

\oD 

?\oEl 

Ai _ i 


0.427  X  10'6 
1.302  X  10'6 
0.070  X  10'6 
0.932  X  10'6 
1.251  X  10'6 

3.96  X  10'6 


If  LANDINGS  ARE  NOT  ALLOWED  with  a  MONITOR  MISMATCH  COfCITION  PRESENT: 


I  NT, 


SDN/SEN 


XMTR 


CSE 


=  (5.065  X  ID'6  •  168)  +  (3.121  X  ID'6  •  168 f  +  (1.140  X  10'°  •  158) 
=  7.24  X  10*7  ♦  2.75  X  10'7  +  l .92  X  10'4  =  1.93  X  10'4 
=  3.96  X  10'6  -  168  =  6.65  X  10'4 


SOM 


CF 


1.93 


5.6T  ♦  1.93 


0.225 


Pr 


SE 


SOM 


0.225  *(1.93  X  ID'4)  *(6.65  X  ID'4) 


2.899  X  ID 


-8 


0-6 
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2.  Probability  of  the  radiation  of  a  faulty  course  position  SD*  signal, 

I .E. ,  INCORRECT  PERCENTAGE  MODULATION.  (CONTINUED) 

Failure  Rate  Data  (CONTINUED) 

If  landings  are  allowed  with  a  MONITOR  MISMATCH  CONDITION  PRESENT: 

P!NT  =  (5.065  X  10‘6  •  168)  +  (3.121  X  ID'6  •  168)  +  (1.367  X  10'6  •  168) 

11,1  SOM/SEN 

=  8.51  X  10‘4  +  5.2R  X  10‘4  +  1.92  X  IQ*4  =  1.57  X  10' 3 
6.65  X  10'4 

]SJ  =  0.702 
6.65  +  15.7 

PCSE  =  0.702*  (1.57  X  10"3)C6.65  X  ID'4)  =  7.5R8  X  10'7 
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3.  Probability  of  the  radiation  of  a  signal  that  is  faulty  with  respect 
TO  COURSE  RF  POWER. 

Calculation 


rCSE 


RF 


-  F'cpXP 


I  NT, 


X  Pup  X  PX«TD 

CSErf  nfrf  WTRCSErf 


’.•(here 
pcf  * 

PINTcse  =  +  \non*^ 

PNFrf  =  (^honnf  +  \x  +  \y>  *  ^ 


Hser;  Pf% 


PXMTR  +  (P 
CSErf 


XMTR, 


CSE 


X 


XMTR, 


RF 


CSE 


ra 


RF 


PCF  is  a  conditional  factor, 

expressing  the  fact  that  all 
RF  monitoring  must  be  lost 
before  radiation  of  a  faulty 
RF  signal  in  order  for  such 
a  signal  to  be  undetected. 


PINT  is  the  probability  of 

CSErf  failure  in  the  course 
RF  integral  monitoring 
circuitry. 


PNF  is  the  probability  that  the 
kF  near  field  monitoring  cir¬ 
cuitry  will  fail  to  generate 
an  "abnormal"  indication  when 
a  faulty  RF  signal  is  radiated. 


Pxmto  I*  the  probability  that 

CSErf  a  signal  that  is  faulty 
with  respect  to  RF  power 
will  be  radiated  while 
no  other  parameters  are 
affected. 


m 

w 


Preventive  maintenance  interval  to  check  for  hidden  failures, 
(one  week  -  168  hours  -  is  assumed.) 

2  -  If  landings  are  not  allowed  with  a  monitor  mismatch 
condition  present  (ABN  light  in  tower). 

1  -  Otherwise. 


( 
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3.  Probability  of  the  radiation  of  a  signal  that  is  faulty  with  respect 
to  course  RF  power.  (CONTINUED) 


Failure  Rate  Data 

^M0Ncse  “  ^34B  *  ^35B  “  5.065  X  ID 


If  landings  are  not  allowed  with  "ABN"  light  on: 
X1M0N  -  1.140  X  ID’6 

Otherwise: 

-  1.367  X  JO'6 

'  K,  -  -  3.822  X  lD'e 

Nr 

=  0.262  X  ID'6 
XJJ  *  2.043  X  ID-6 


Kz 

-  6.734  X  ID*6 

K 

-  0.686  X  ID'6 

^38 

-  0.427  X  3D'6 

-  1.302  X  ID'6 

Noei 

-  0.466  X  ID'6 

-  1.231  X  ID'6 

^XMTRP«.r 

“erf 

-  10.85  X  ID'6 

If  landings  are  not  allowed  with  a  monitor  mismatch  COMHTION  PRESENT: 

P,NT  -  (5.065  X  ID*6  *168  HR)2  +  1.140  X  ID-6  *  168  HR 

CSErf  -  7.24  X  10*7  +  1.915  X  ID'4  -  1.92  X  10"4 

P«  -  (3.822  X  1D'6+  0.262  X  ID'6  +  2.043  X  ID'6)  *  158  HR  -  10.29  X  ID'4 

nfrf 


0-9 
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3.  Probability  of  the  radiation  of  a  signal  that  is  faulty  with  respect 
to  course  RF  power.  (CONTINUED) 


PXMTR  =  10.85  X  10"6  •  168  HR  =  18.23  X  I0*4 

*"ikCSErf 

Pcf  -  (l.g  x  IQ-4)  •  (10.29  X  10-4)  „  L08  x  10-4 

18.23  X  ID'4  +  (1.92  X  10*4)  •  (10.29  X  10*4) 

PCSE  *  (1.08  X  10'4)  •  (1.92  X  10*4)  •  (10.29  X  10'4)  •  (18.23  X  10'4) 

UitRF 

PCSE  *  3.917  X  ID*14 

i.itRF 


If  landings  are  allowed  with  a  MONITOR  MISMATCH  OOfOITION  PRESENT: 

PINT  =  (5.065  X  10'6  •  168  HR)  +  (1.367  X  10"6  •  168  HR) 

lr<Lt 

LbtRF 

=  8.51  X  10*4  +  2.30  X  ID*4  =  10.81  X  10‘4 

PNF  *  1  (Since  a  monitor  mismatch  from  a  near  field  alarm  will 

RF  be  ignored  in  this  case.) 


XMTR  =  18.23X10 

LitRF 


-4 


10.81 


CF 


18.23  +  10.81 


=  0.372 


=»  0.372  •  (10.81  X  ID’4)  •  (18.23  X  ID'4) 
-  7.331  X  10-7 


D-10 
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A.  Probability  of  the  radiation  of  a  signal  that  is  faulty  with  respect 

TO  SENSITIVITY  DDM, 

Calculation 


Peru  =  Pcf  X  Pjnj  X  Pvurp 

itnDDM  U  SEN  *"IRSEN 


WHERE 

Pcf  =  Pintsen 

Pxmtrsen  +  pint$en 

PintS£n  =  (^onsen*MI^  +  X1M0N 
Pxhtrsen  =  Xxmtrsen  *  MI 


p 

CF  Is  a  conditional  factor,  as 
previously  described. 


PINT  is  the  probability  of  fai- 
SEN  lure  of  course  width  sensi¬ 
tivity  DDM  Integral 
monitoring  circuitry 
(hidden  failure). 


Pvmtr  1s  the  Prob«bi 1 ity  that 
kSEN  an  actual  faulty  course 
width  signal  will  be  ra¬ 
diated  while  no  other 
parameters  are  affected. 


fU  =  Maintenance  Interval  (168  hours  assumed) 


w 


2  -  If  landings  are  not  allowed  with  a  monitor  mismatch 
condition  present  (ABN  light  in  tower). 

1  -  Otherwise. 


Failure  Rate  Data 


X 


MON, 


SEN 


^378  “  \*8B  "  3.121  X  lO'6 


If  uycings  are  not  allowed  with  "ABN*  light  on: 

X1M0N  -  1.1*0  X  ID'6 

Otherwise: 

X1M0N  -  1.367  X  10'6 


D-ll 


II  r  * 
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4.  Probability  of  the  radiation  of  a  signal  that  is  faulty  with  respect  to 
sensitivity  DOM.  (Continued) 

Failure  Rate  Data  (Continued) 

FOR  THE  TWO  FREQUENCY  GLIOESLOPE, 

X^RSEN  =  ^3G1  +  ^10D  +  ^11 A 

=  0.5234  X  10'6  +  0,2750  X  ID'6 

FOR  THE  ONE  FREQUENCY,  NULL  REFERENCE  GLIDESLOPE, 

XxMTRSEN  *  ^301  +  ^100  +  ^UA 

=  0.5234  X  10'6  +  0.2351  X  10'6  +  0.0101  X  10'6  *  0.3186  X  10'6 

FOR  THE  ONE  FREQUENCY,  SIDE  BAND  REFERENCE  GLIDESLOPE, 

XxMTRSEN  =  X3G1  +  \oO  +  ^UA 

«  0.5234  X  10‘6  +  0.2750  X  10‘6  +  0.0101  X  10'6  =  0.8035  X  10'6 


(base  case) 

+  0.0101  X  10'6  =  0.8085  X  10'6 


IF  LANDINGS  ARE  NOT  ALLOWED  WITH  A  MONITOR  MISMATCH  CONDITION  PRESENT: 


I  NT, 


1.92  X  10' 


,-4 


SEN 


-  0,808  X  10'6  -  168  HR  =  1.36  X  10’4 

xmtrSEn 


(base  case) 


1.92 


CF 


1.36+  1.92 


-  0.586 


PCCM  =  0.586  •  (1.92  X  10'4)  •  ( 1.36  X  10"4)  =1.525  X  10*8 

sendom 


IF  LANDINGS  ARE  ALLOWED  WITH  A  MONITOR  MISMATCH  CONDITION  PRESENT: 


intsen 

(3.121  X  10‘6  • 

168)  +  1.92  X  10'4  =  7.54  X  10‘4 

XMTRsen 

1.36  X  10'4 

)  = 

•^4 

II 

0.347 

CF 

1.36+  7.54 

>SENDIW  = 

0.847  •  (7.54 

X  10-4)  •  (1.36X  10‘4)  -  8.676  X  10 

-8 


0*12 


’V.tlA-waiA  JIISI  I'.'JII.'I 

-  rt  ilh'ti 


TABLE  D-l.  Glideslope  Faulty  Signal  Radiation  “robabilities 


PAGE  12  OF  IP 


5.  Probability  of  the  radiation  of  a  faulty  clearance  signal 
(DDM,  SD*,  or  PF). 

Calculation 


Pci  =  pcf  x  pintcl  x  Pxmtrcl 


WHERE 

Pcf 


rXNTR, 


CL 


I  NT 


CL 


P--  is  a  conditional  factor,  as 
L  previously  discussed. 


PlNTCL  "  ^ONCL*Mn  +  'MmON  *  MI 

pxntrcl  =  ^xmtrcl  *  MI 


PTMT  Is  the  probability  of  a 
1N  CL  hidden  failure  of  any  of 
the  clearance  monitoring 
circuitry. 


Pvutd  is  the  probability  that 
kCL  the  radiation  of  the 

clearance  signal  will  be 
faulty  with  respect  to 
DDH,  SDH,  or  RF  parameters. 


fll  *  Maintenance  Interval  (168  hours  assumed). 


m 


2  -  If  landings  are  not  allowed  with  a  monitor  mismatch 
condition  present  (ABN  light  in  tower). 

1  _  Otherwise. 


Failure  Rate  Data 

^  ■  >4.  -  •  5.077  X  ID'6 

If  landings  are  not  allowed  with  "ABN"  light  on: 

■  LIU  X  ID'6 

Otherwise  : 

■  1.36X  X  ID'6 


0-13 


1 
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5.  Probability  of  the  radiation  of  a  faulty  clearance  signal 
(DD?1,  SDM  or  RF).  (CONTINUED) 


Failure  Rate  Data  (Continued) 


X 


XHTR 


CL 


^4A 

=  1.914 

X 

IQ-6 

=  6.734 

X 

ID-6 

^3H 

=  1.175 

X 

ID’6 

XoEl 

-  0.466 

X 

10'6 

\l 

-  1.231 

X 

io-6 

X, 


■xmtrcl  *  11-52  X  ID 


-6 


If  landings  are  not  allocd  with  a  monitor  mismatch  condition  present: 
Pt 


WCL 

=  1.92  X  10'4 

Wrcl 

=  11.52  X  10*6  • 

168  HR  =  19.35  X  10'4 

CF 

x  1.92 

-  9.03  X  ID*2 

19.35  +  1.92 

CL 

*  (9.03  X  10' ?) 

•  (1.92  X  ID'4)  • (19.35  X  ID'4) 

1*8 


If  landings  are  allowed  with  a  monitor  mismatch  condition  present: 


INT 


CL 


=  (5.077  X  10'6 -168)  +  1.92  X  ID'4  -  1Q.«  X  ID*4 


XHTR 


CL 


rCF 


19.35  X  10 
10.45 


-4 


o.s 


19.35  +  10.45 


rCL 


(0.35)*  (1.45  X  1D*V  (19.35  X  ID'4)  -  7.522  X  10*7 


0-14 
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6.  Probability  of  the  radiation  of  a  faulty  signal,  due  to  antenna  tower 

MISALIGNMENT. 

Calculation 


ATM 


X  PMD  X  PTM  + 


WHERE 


MD 


P  +  P 

rTM  rMD 


P  Is  a  conditional  factor,  as 
^  previously  described. 


P  Is  unpredictable,  being  a  function 
™  of  external  and  uncontrollable  forces. 

p  .  p  .  135  SEC 


P  Is  the  probability  of  the  loss 
of  tower  misalignment  detection 
and  not  producing  an  alarm  (no 
"abnormal"  light  In  tower). 

P  Is  the  probability  that  the  gllde- 
™  slope  antenna  tower  will  become 
misaligned  within  the  preventive 
maintenance  interval. 

P  Is  the  probability  that  the 

•"DELAY  glideslope  antenna  tower 

will  become  misaligned  within 
the  135  second  delay  of  the 
misalignment  detector  alarm. 


ffl  ■  Maintenance  interval  (168  hours  assumed) 

♦  Kz  •  2.35A  X  IDT6  ♦  0.908  X  ID*6  -  3.262  X  ID*6 


i 


If  landings  are  not  allowed  with  "ABN"  light  on: 


'H> 


TM 


3.262  X  10*6  •  168  HR  «  5.A80  X  ID 


-« 


•0 


(Base  case  assumption) 


P™»K,Y  ’  P™  ‘  ‘  ^  ‘  M  '  0  '  2,3  X  10’4  *  0 


ATM 

OnCRNISE: 

P» 

PTM 

PATM 


5.A80  X  10*4  •  0  -  0 

1  ("Abnormal*  Indication  from  misalignment  detection  Is  Ignored.) 

P.^  ■  0  (Base  case  assumption) 

"delay 

0 
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1.  Single  failures  in  the  glideslope  equipment  that  cause  immediate 

GL! DESLOPE  SHUTDOWN. 


Calculation 


£xs, 

X 


NGLE  FAILURES 


X  Tr 


SINGLE  FAILURES' 


3 

1.829  X  10'6 

= 

2.982  X  ID'6 
£ 

X 

1.039  X  ID'6 

k. 

— 

0.88  X  ID'6 

\oE 

= 

1.951  X  ID'6 

3 

1.231  X  10'6 

X12 

= 

0.778  X  10'6 

\s 

= 

0.098  X  ID"6 

\ta 

= 

0.100  X  10'6 

\b 

= 

1.U5  X  ID'6 

Xj9 

= 

1.11S  X  ID'6 

Xg2 

S 

1.115  X  10'6 

= 

1.115  X  ID'6 

Ex. 


15.343  X  ]ff 


.-6 


Tc  =  Critical  landing  time  interval 

FOR  A  CRITICAL  INTERVAL  OF  15  SECONDS! 

Ps  =  IS,  54?.  X  10'®  •  15  SEC 
*  (15.348  X  lO-6)  •  15/3500 
Ps  =  8.305  X  10'8 


I 

1 
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|  2.  Failure  in  the  main  transmitting  unit  and  a  failure  in  the  standby 

I  transmitting  unit.  Both  failures  occur  within  the  critical  phase 

-  OF  THE  LANDING  (15  SECONDS  FOR  GLIDESLOPE),  AND  IT  IS  IMMATERIAL 

WHICH  FAILURE  OCCURS  FIRST. 

f 

Calculation 

Pas  *  Pa+t  X  Pb 
where 

P.+T  Is  the  probability  of  loss  of  the  Min  transacting  unit  or 

spontaneous  transfer  due  to  single  failures  In  the  control  unit. 

PB  Is  the  probability  of  loss  of  the  standby  transacting  unit. 

Pab  *  [(*A  +  *1A1}  Tcj.O*  * Tc) 

Kn  -  3.38  X  ID'6 


K 

-  6.734  X3D'6 

v  \ 

-  6.751  X  3D*6 

Ka 

-  1.914  X30'6 

Ka 

-  1.914  X  3D'6 

Kb 

-  6.734  X  1D‘6 

Kt 

-  6.751  X  ID'6 

K 

-  0.686  X  3D'6 

•  0.686  X  3D'6 

*3A 

-  2.613  X  ID*6 

*7A 

-  2.613  X  3D*6 

*38 

-  0.*B7  X  ID*6 

*78 

-  0.<G7X1D'6 

*3C 

-  1.<63X  ID'6 

*7C 

-  1.453  X  3D'6 

*3F 

-  32.832  X  3D'6 

*7F 

-  32.832  X  ID*6 

Ks 

•  1.302  X  ID'6 

*7G 

-  1.302  X  10'6 

*3H 

-  1.176  X  ID'6 

*?H 

-  1.376  X  ID'6 

*iOt 

•  0.134  X  ID'6 

*iOB 

-  0.134  X  3D*6 

Xiftft 

-  0.070  X  ID’6 

*8 

-  36.01  X  10  6 

*A 

-  36.07  X  ID'6 

PM  -  (39.25  X  ID"6  •  35  sec)  •  (36,01  X  10T6  •  15  sec) 
P«  -  2.453  X  ID"14 


I 


0-17 


f 


M 


i 
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3.  A  hidden  failure  in  the  equipment  which  essentially  inhibits  the 
TRANSFER  CAPABILITY  OF  THE  TRANSMITTING  UNITS  AND  THEN  A  FAILURE 
IN  THE  MAIN  TRANSMITTING  UNIT. 

Calculation 

p.c  -  X(P.XPC) 


WHERE 


I 

t 

I 

I 


j 


« 

I 

•  i 


PA  Is  the  probability  of  the  loss  of  the  main  transmitting  unit. 

Pc  Is  the  probability  of  the  loss  of  the  transfer  to  standby  capability. 


Xc 

xA  *  K 


Is  the  conditional  probability  that  the  hidden  failure 
modes  (\f)  will  occur  prior  to  a  main  transmitting 
unit  failure  that  Initiates  a  transfer  (\*h 


pa  a  Xfl  *TC  =  (36.07  X  10'6)  .15  sec  -  1.50  X  10'7 


Pc  *  XC.W  -  \  -168  HR 


Xc  =  \o3  *  XIT  ♦  XJ0A 
XJoj  »  1.730  X  19'6 
XlT  -  0.5*45  X  10'6 
X12A  -  0.22  X10'6 


\  -  2.*l95  X  10'8 


); 


Pc  =  (2.405  X  10'6)  •  168  =■  4.192  X  10'4 

PAC  =  2.495  .(4.192  X  IQ'4)  *  (1.50  X  10~7)  -  4.075  X  10' 

2.495  +  36.07 
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4.  A  FAILURE  THAT  WILL  RESULT  IN  THE  GENERATION  OF  A  FAULTY  COURSE  DDM,  SDH 
OR  RF  PARAMETER  FROM  THE  STANDBY  TRANSMITTING  UNIT,  FOLLOWED  BY  ANY  FAILURE 
IN  THE  MAIN  TRANSMITTER  OR  CONTROL  UNIT  WHICH  CAN  INITIATE  A  TRANSFER.. 

Calculation 


1$  the  probability  of  a  failure  that  will  result  In  the  generation  of 
CSE  a  faulty  course  DOM,  SDH  or  RF  paraaeter  from  the  standby  transaitter. 

+T  is  the  probability  of  loss  of  the  main  transmitting  unit  or  spontaneous 

transfer  due  to  single  failures  in  the  control  unit  (previously  identified) 


is  the  conditional  probability  that  the 
standby  transaitter  failure  aodes  (\D  )  will 

Brer 

occur  prior  to  a  transmitter  or  con¬ 
trol  unit  /allure  that  initiates  a  transfer 

<VA1A1  >• 


\cs£:  \  *  6.734  X  ID'6 

\  -  0.686  X  10*6 

\B  •  0.427  X  ID-6 

\F  -  12.832  X  ID*6 

\G  -  1.302  X  10*6 

\  -  21.98  X  10*6 

BCSE 


»  ♦  *  ui  “  55.07  X  10*6  +  3.18  X  10*6  -  39.25  X  ID*6 

scse“  \se  *158HR  "  36.93  X  ID*4 

UT  "  +  Kai  )  •  15  sec  -  0.1541  X  IQ*6 

5TBY  -  21.98  .(36.93  X  10*4)(  0.164  X  ID*6)-  2.167  X  ID*10 

ae  39.25  +  21.98 
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5.  A  FAILURE  THAT  WILL  RESULT  IN  THE  GENERATION  OF  A  FAULTY  COURSE 
WIDTH  (DDM)  PARAMETER  FROM  THE  STANDBY  TRANSMITTING  UNIT,  FOLLOWED 
BY  ANY  FAILURE  IN  THE  MAIN  TRANSMITTER  OR  CONTROL  UNIT  WHICH  CAN 
INITIATE  A  TRANSFER. 


Calculation 


r  STBY 


SEN 


A, 


“SEN 


Aft  ♦  Aja1  +  A*sen 


X  PB  X  PA+T 

“sen  * ' 


WHERE 


“SEN 


fs  the  probability  of  a  failure  that  will  result  in  the  generation 
of  a  faulty  course  width  (DDM)  parameter  from  the  standby  transmitter. 


P  ^  -  previously  identified 


Afl 


SEN 
T - 

Mai 


A*- 


As 


SEN 


is  a  conditional  probability  factor, 
as  previously  discussed. 


Absen  *  A7B  +  XfF  -  a7g 

*  0,427  X  10'6  +  32.832  X  10‘6  +  1.302  X  10‘6  =  14.56  X  10'6 

K*  Km  =  30.25  X  ID'6 

PR  -  Xr  •  168  HR  *  24.46  X  ID"4 

“sen  ^SEN 

Pfl+T  *  Km^  *  sec  «  0.164  X  10‘6 


Psrny  =  14|S6  « (24.46  X  ID'4)  *  (0.164  X  10~6)  -  1.082  X  10'10 

SEN  39.25  +  14.56 
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6.  A  FAILURE  THAT  WILL  RESULT  IN  THE  GENERATION  OF  A  FAULTY  CLEARANCE  DDM, 

SDM  OR  RF  PARAMETER  FROM  THE  STANDBY  TRANSMITTING  UNIT/  FOLLOWED  BY  ANY 
FAILURE  IN  THE  MAIN  TRANSMITTER  OR  CONTROL  UNIT  WHICH  CAN  INITIATE  A  TRANSFER. 


Calculation 


rSTBY 


CL 


X 


'  (W^)XPiti 


xp 


A+T 


WHERE 


P-  Is  the  probability  of  a  failure  that  will  result  In  the  generation 

DCl  of  a  faulty  clearance  DOM,  SDM  or  RF  parameter  from  the  standby  transmitter. 


PA+T  -  previously  Identified 
/  BCl  \  Is  a  condl' 

X  ♦  >H.i  ♦  V.  /  "r" rtoa 


conditional  probability  factor,  as 
discussed. 


1 

1 

1 

\  : 
bcl 

>* 

00 

> 

-  1.914  X  ID”6 

1 

i 

1 

-  6.734  X  ID'6 

1 

>\ 

i 

» 

\, 

-  1.176  X  ID-6 

\  -  9.82  X  ID'6 

Bci 


vm. 


1A1 

"CL  BCl 


39.25  X  10 


,-6 


PB  -  \  •  158  HR  *  16.90X10“ 

®/*i 


-4 


rA+T 


<\  +  \*A1  )  *15  SEC  -  0.164  X10’6 


Pstby  “  9,82  ‘(16.50  X  10'4)‘(0.164X  10‘6)  -  5.399  X  10‘n 

CL  39.25  ♦  9.82 
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7.  A  FAILURE  THAT  WILL  RESULT  IN  THE  GENERATION  OF  ANY  FAULTY 
PARAMETER  OF  THE  STANDBY  TRANSMITTING  UNIT,/  FOLLOWED  BY  ANY 
FAILURE  IN  THE  MAIN  TRANSMITTER  OR  CONTROL  UNIT  WHICH  CAN 
INITIATE  A  TRANSFER. 

Calculation 


Pst,,  ■  - - -  X  (A,  -168)  X  P,.T 


WHERE 


PA+T  -  previously 

Nl 

K  *  \*A1  +  \ 


Identified 

Is  a  conditional  probability  factor, 
as  previously  discussed. 


\  =  36.01  X10*6 
\  ♦  X*A1  =  39.25  X  10'6 
Xb  - 168  HR  =  62.58  X  10'4 

Pa+t  *  (XA  *  XJA1)  «15  sec  =  0.164  X  10*6 


Pstby  =  35,01  « (62.58  X  10'4)  « (0.164  X  10~6)  -  4.983  X  10' 10 

39.25  +  36.01 
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8.  Converter  failures  leading  to  a  shutdown. 


Calculation 


pconv  3  <\s  X  720 HR)1  X  (\lfi  X  15  sec) 


PcONV  is  the  probability  of  both  main  converters  falling. 

\s  -  \6  =  6.598  X  10'6 
Pconv  =  1.306  XIO*10 

*  A  monthly  preventive  maintenance  cycle  is  assumed  for  power  supply  systems. 

9.  Both  course  monitors  failing,  producing  an  alarm. 

Calculation 


If  landings  are  not  allowed  with  a  monitor  mismatch 


condition  present: 


PCSE  *  (\:SE  *V2 


Otherwise: 


PCSE  -  <\se  •  168)  (\SE  •  Tc) 

\  .  X  .X 

CSE  CSE1  CSE2 

\sei  •  Vaa  -  12.918  X  ID*6 


(CASE  1) 


(CASE  2) 


(12.918  XIO'6  •  15  stcf *  2.897  X  10"15 

(12.918  X  10'6  *  168  HR)  (12'91S  X  10*C  *  I5  sec)  1.168  X  10' 


(CASE  1) 


(CASE  2) 
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10,  Both  sensitivity  monitors  failing,  producing  an  alarm. 
Calculation 

If  landings  are  not  allowed  with  a  monitor  mismatch 
condition  present: 


PsEN  *  ^SEN  *  TC) 

(CASE  1) 

Otherwise: 

f*SEN  =  (^SEN  •  168  HR)(Xsen  *T(0 

(CASE  2) 

NlN  =  \e«1  =\en2 

•  9.596  X  10'8 


PSEN  =  ( 9.oC  X  10'6  *15  sec)2  =  LS98X10’15 

o,jEN  =  (9.60  X  1C'6  *  168  HR)  (q.m  *15  sec)  =  6.A45  X  10 


II.  Both  clearance  monitors  failing,  producing  an  alarm. 
Calculation 

If  landings  are  allowed  with  a  monitor  mismatch 

CONDITION  PRESENT: 

PCL  =  ( V  •  Tc  )2  (CASE  1) 


Otherwise: 


PCL  =  (Ay,  •  168  Hn) V Ay,  •  Tr) 


cl 


cl 


(CASE  2) 


A  _  A.  -  X 
CL  *  CL  1  CL2 


\li  =  \m  =  13. 273  X  10' 


P:l  *  (13.27  X  10'6  *5  SEC)2  =  3.053  X  10'15 

PCL  =  03.2/  X  IQ’6  •  168  HR)  (13.27  •  15  sec)  -  1.233  X  10'10 
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(CASE  1) 
(CASE  2) 


(Case  1) 
(Case  2) 


o-r-J 
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12.  Both  near  field  monitors/peak  detectors  failing,  producing  an  alarm. 
Calculation 


If  landings  are  not  allowed  with  a  monitor  mismatch 

CONDITION  PRESENT: 


Pnf  “  ^  Nif  *  Tc  1 


(CASE  1) 


Or>CRWISE: 

Pnf  -  <\f  •  168  HR)  ( \F  •  Tc) 

\r  =  \fi  =  \fi 

\rv  -  H.099  X  ID'6 

\8  =  1.115  X  ID*6 
\Fl  -  12.26  X  ID*6 


(CASE  2) 


PNF  «  (12.26  X  ID*6  *15  sec)2  -  2.609  X 10“ 15  (CASED 

PNF  «  (12.26  X  10*6  •  168  HR)  (12.26  X  10*6  *15  sec)  -  1.0B2  X  ID'10  (CASE  2) 


